Security hole in tar on Microport

Thu Nov 3 05:08:43 AEST 1988

In article <226 at sea375.UUCP>, dave at sea375.UUCP (David A. Wilson) writes:
> I have a problem with using tar on microport. I created a tar floppy
> on a system as an unpriviledged user. When I extracted the floppy on
> another system running Microport System V/AT version 2.3 all the files
> extracted were owned by the userid of the other system...

Remember that tar is a V7-ish program.  It just extracts files and chowns
them back to the original owners as recorded on the archive.  The assump-
tion is that either you're running as root and you want to restore the
original owners OR you're not root, the chowns will all fail, and you will
end up owning the files.

Under V7 (and BSD) chown is effectively restricted to root; you can't give
away files.  Thus tar, as it is written, works sensibly.  Under Sys V, you
can chown a file to someone else if you own it.  You may regard this as a
feature or a bug in chown, but in any case it's a mismatch to the way tar
is written.

What makes the Sys V chown seriously annoying in this context is that
once you've chowned away a file, you can't chown it back to yourself
(since you don't own it) - obvious enough; that's how it should be, but it
means that if you chown both a directory and a file within that directory,
you can't get rid of them without help from the receiving user or root.
If the receiving user doesn't exist (e.g., restoring from a tar archive on
another machine), root has to help you.  (You can't delete the directory,
even if it's within a directory you can write, because it isn't empty.  You
can't empty it because you don't own it or the file within it.)

> It seems like a rather large security hole to me! I have never seen
> this behavior on other systems, so what's the problem with microport?

Strictly speaking, it's not a security hole.  You can create files and make
them owned by someone else, which certainly would let you subvert any
per-user disk accounting.  However, chown resets the setuid/setgid bits,
so it's safe there.

> Are other utilities in microport allowed to do this also?

I don't know what other programs might do chowns, but the "facility" to
give away files is there for any program or user that wants it.
-- 
Dick Dunn      UUCP: {ncar,nbires}!ico!rcd           (303)449-2870
   ...Nothing left to do but smile, smile, smile.