167544 – unpack tar invocation allows for odd tarballs to loosen workdir perms

Bug 167544 - unpack tar invocation allows for odd tarballs to loosen workdir perms

Summary: unpack tar invocation allows for odd tarballs to loosen workdir perms

Status:	RESOLVED INVALID

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Core - Ebuild Support (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-02-18 22:44 UTC by Brian Harring (RETIRED)
Modified:	2007-02-19 00:25 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Harring (RETIRED) gentoo-dev

2007-02-18 22:44:49 UTC

Rather weird corner case admittedly, but workdir perms are fairly locked down- problem is, crappy tarballs can actually modify that.

Example is gnuconfig-20070118; the tar has an entry for '.', thus tar tries to enforce the perms/times on cwd, ie, WORKDIR (if that's cwd).

suggest adding --exclude . so that weird tarballs don't inadvertantly loosen the perms.  As is, gnuconfig reduces workdir from 0700 to 0770.

Worst case, the tarball could be particularly retarded and loosen the perms to 0777.

Comment 1 Brian Harring (RETIRED) gentoo-dev

2007-02-18 22:57:23 UTC

worth noting, --exclude . doesn't cut it, although don't have an appropriate pattern for it atm.

Comment 2 Zac Medico gentoo-dev

2007-02-18 23:30:56 UTC

Well, I don't observer the behavior you describe unless I enable tar's -p option, which portage doesn't use in it's unpack function.

Comment 3 Brian Harring (RETIRED) gentoo-dev

2007-02-19 00:25:48 UTC

as stated in #2, won't touch perms, although it does force a utime through...