Closed GoogleCodeExporter closed 8 years ago
I'm inclined to view this as correct behavior, as xar attempts to exactly
preserve
what was archived. The setuid bit was set on the archived file, it should be
preserved on extraction as well.
xar's -tvf support now allows easier examination of the contents of the archive
(easier than examining the table of contents, which has always been available).
I'm not immediately closing this as I'm open to counter arguments, but the
fundamental objective of an archiver to preserve what was archived.
Original comment by bbraun
on 20 Sep 2007 at 11:29
99.9% of people are not going to look through an archive for setuid files prior
to extracting it, or even
consider the possibility of it being an issue.
What if it printed a warning when extracting setuid/setgid files? That would
be acceptable too.
Also, there could be a non-default nosugid mode which doesn't preserve
setugid/setgid.
If it's made clear that the default behavior preserve the bits, and there is an
alternative available, I think the
security concern would be addressed.
Original comment by ApplePro...@gmail.com
on 20 Sep 2007 at 11:47
Ok, how's about this:
xar -xvf foo.xar
This extracts files as the extracting process uid/gid. This will be modified
to not
preserve setuid/gid bits.
xar -xvpf foo.xar
xar -xvPf foo.xar
These extract files as the uid/gid or username/groupname the file was archived
with.
This will still preserve setuid/setguid bits. This is only really effective when
run as root, so the chown will work correctly.
xar -xvf foo.xar --keep-setuid
Still extracts the files as the extracting process' uid/gid, but preserves the
setuid/setgid bits.
This was committed to trunk in commit 183, if you want to try it out.
Original comment by bbraun
on 21 Sep 2007 at 7:05
Excellent. I tried it and it looks good, thanks.
Original comment by ApplePro...@gmail.com
on 21 Sep 2007 at 8:26
Great. Changing state to verified then.
Original comment by bbraun
on 21 Sep 2007 at 8:53
Original issue reported on code.google.com by
ApplePro...@gmail.com
on 20 Sep 2007 at 10:57