Bug 167544

Summary:	unpack tar invocation allows for odd tarballs to loosen workdir perms
Product:	Portage Development	Reporter:	Brian Harring (RETIRED) <ferringb>
Component:	Core - Ebuild Support	Assignee:	Portage team <dev-portage>
Status:	RESOLVED INVALID
Severity:	normal	CC:	masterdriverz
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Brian Harring (RETIRED) gentoo-dev

2007-02-18 22:44:49 UTC

Rather weird corner case admittedly, but workdir perms are fairly locked down- problem is, crappy tarballs can actually modify that.

Example is gnuconfig-20070118; the tar has an entry for '.', thus tar tries to enforce the perms/times on cwd, ie, WORKDIR (if that's cwd).

suggest adding --exclude . so that weird tarballs don't inadvertantly loosen the perms.  As is, gnuconfig reduces workdir from 0700 to 0770.

Worst case, the tarball could be particularly retarded and loosen the perms to 0777.

Comment 1 Brian Harring (RETIRED) gentoo-dev

2007-02-18 22:57:23 UTC

worth noting, --exclude . doesn't cut it, although don't have an appropriate pattern for it atm.

Comment 2 Zac Medico gentoo-dev

2007-02-18 23:30:56 UTC

Well, I don't observer the behavior you describe unless I enable tar's -p option, which portage doesn't use in it's unpack function.

Comment 3 Brian Harring (RETIRED) gentoo-dev

2007-02-19 00:25:48 UTC

as stated in #2, won't touch perms, although it does force a utime through...