[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] GNU tar directory traversal
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] GNU tar directory traversal
- From: virus@xxxxxxxxx
- Date: Wed, 22 Nov 2006 10:52:12 +0100
Hello,
Siim Põder wrote:
> So, for example, I make a tar archieve that contains a symlink to
> 'bla'->'/etc' and 'bla/passwd', that - if opened by root - would
> overwrite the passwd file.
right from the man page: A confirmation is needed if -w is used.
> Discussing wether root should ever run tar is irrelevant.
Agreed, the discussion whether root should *run* tar or not is
irrelevant. One shouldn't *trust* tar files from unknown/untrusted
sources, root or not.
GTi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/