search

schwer-q / xar

Automatically exported from code.google.com/p/xar
0 stars 0 forks source link

xar preserves setuid/setgid bit by default #38

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
xar preserves the setuid bit when extracting from an archive.  This has
been considered a minor security issue in other products in the past.   See
for example 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-2541

If a local attacker can trick a user into extracting an archive, he can
potentially run code as that user(including root).

There should be a nondefault option to preserve the bits.   e.g. unzip -K,
tar -p

Steps to repro with xar 4.5.1 and 4.4 on Leopard 9A557:
 mkdir stuff
 touch stuff/1
 touch stuff/2
 chmod u+sx stuff/1
 chmod g+sx stuff/2
xar -cvf stuff.xar stuff
rm -r stuff
xar -xvf stuff.xar

1 and 2 still have the setuid/setgid bit set.  
sudo xar -xvf stuff.xar
1 and 2 still have the bit set and are owned by root.

Original issue reported on code.google.com by ApplePro...@gmail.com on 20 Sep 2007 at 10:57

GoogleCodeExporter commented 9 years ago 
I'm inclined to view this as correct behavior, as xar attempts to exactly 
preserve
what was archived.  The setuid bit was set on the archived file, it should be
preserved on extraction as well.
xar's -tvf support now allows easier examination of the contents of the archive
(easier than examining the table of contents, which has always been available).

I'm not immediately closing this as I'm open to counter arguments, but the
fundamental objective of an archiver to preserve what was archived.

Original comment by bbraun on 20 Sep 2007 at 11:29

GoogleCodeExporter commented 9 years ago 
99.9% of people are not going to look through an archive for setuid files prior 
to extracting it, or even 
consider the possibility of it being an issue.  

What if it printed a warning when extracting setuid/setgid files?  That would 
be acceptable too.  

Also, there could be a non-default nosugid mode which doesn't preserve 
setugid/setgid.  
If it's made clear that the default behavior preserve the bits, and there is an 
alternative available, I think the 
security concern would be addressed.

Original comment by ApplePro...@gmail.com on 20 Sep 2007 at 11:47

GoogleCodeExporter commented 9 years ago 
Ok, how's about this:

xar -xvf foo.xar
This extracts files as the extracting process uid/gid.  This will be modified 
to not
preserve setuid/gid bits.

xar -xvpf foo.xar
xar -xvPf foo.xar
These extract files as the uid/gid or username/groupname the file was archived 
with.
 This will still preserve setuid/setguid bits.  This is only really effective when
run as root, so the chown will work correctly.

xar -xvf foo.xar --keep-setuid
Still extracts the files as the extracting process' uid/gid, but preserves the
setuid/setgid bits.

This was committed to trunk in commit 183, if you want to try it out.

Original comment by bbraun on 21 Sep 2007 at 7:05

GoogleCodeExporter commented 9 years ago 
Excellent.  I tried it and it looks good, thanks.

Original comment by ApplePro...@gmail.com on 21 Sep 2007 at 8:26

GoogleCodeExporter commented 9 years ago 
Great.  Changing state to verified then.

Original comment by bbraun on 21 Sep 2007 at 8:53