On Sun, Aug 15, 2004 at 01:51:24PM -0700, Tim Kientzle wrote: > >With help from rwatson we tracked it down to bsdtar, which seems to be > >setting and resetting permissions on every path component when > >extracting a tarball. > > Yes, bsdtar does protect dirs that it is currently > extracting to in an attempt to close certain security > races. (Otherwise, there are windows during > the process of setting permissions, ownership, > ACLs, file flags, etc, when a file being > extracted may be vulnerable to another process.) > > This is done for any directory explicitly mentioned > in the archive and any implicit directory that > is actually created. Directories that already > exist and are only referenced implicitly shouldn't > have their permissions edited. > > > This is bad when some of those directories > >already exist, because other processes trying to access files in the > >directory hierarchy may lose the race and fail. > > <scratching head> I don't think I understand what > exactly you're trying to do. > > You are extracting archives over an existing directory > that is currently being served by an Apache process in > order to refresh some (presumably) small number of files? > > Give me some more details about your situation and I'll > see what I can come up with. I pull in packages from package build clients with ssh client tar | tar. It creates archives like this: packages packages/All packages/All/uzap-1.0.tgz packages/editors packages/editors/uzap-1.0.tgz packages/Latest packages/Latest/uzap.tgz packages/ is supposed to have these permissions: drwxr-xr-x 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/ But while the archive is being extracted it is changed to drwx------ 93 ports-i386 portmgr 2048 Aug 14 23:12 packages/ Thus, other processes that are concurrently trying to read other packages in that directory (apache, trying to serve them out as dependencies for other package builds) receive EACCESS. Kris
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:06 UTC