Re: bsdtar's security restrictions (was Re: Spurious EACCES errors from apache)

From: Kris Kennaway <kris_at_obsecurity.org>
Date: Sun, 15 Aug 2004 13:59:46 -0700
On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote:

> >With help from rwatson we tracked it down to bsdtar, which seems to be
> >setting and resetting permissions on every path component when
> >extracting a tarball. 
> 
> Yes, bsdtar does protect dirs that it is currently
> extracting to in an attempt to close certain security
> races.  (Otherwise, there are windows during
> the process of setting permissions, ownership,
> ACLs, file flags, etc, when a file being
> extracted may be vulnerable to another process.)
> 
> This is done for any directory explicitly mentioned
> in the archive and any implicit directory that
> is actually created.  Directories that already
> exist and are only referenced implicitly shouldn't
> have their permissions edited.
> 
> > This is bad when some of those directories
> >already exist, because other processes trying to access files in the
> >directory hierarchy may lose the race and fail.
> 
> <scratching head>  I don't think I understand what
> exactly you're trying to do.
> 
> You are extracting archives over an existing directory
> that is currently being served by an Apache process in
> order to refresh some (presumably) small number of files?
> 
> Give me some more details about your situation and I'll
> see what I can come up with.

I pull in packages from package build clients with
ssh client tar | tar.  It creates archives like this:

packages
packages/All
packages/All/uzap-1.0.tgz
packages/editors
packages/editors/uzap-1.0.tgz
packages/Latest
packages/Latest/uzap.tgz

packages/ is supposed to have these permissions:

drwxr-xr-x  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

But while the archive is being extracted it is changed to

drwx------  93 ports-i386  portmgr  2048 Aug 14 23:12 packages/

Thus, other processes that are concurrently trying to read other
packages in that directory (apache, trying to serve them out as
dependencies for other package builds) receive EACCESS.

Kris

Received on Sun Aug 15 2004 - 18:59:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:06 UTC