LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Blogs > Bits and Pixels
User Name
Password

Notices

Concerning free software, programming, and whatever else I find interesting. Also the blog for my Web site, frigidcode.com.
Rate this Entry

Security issues in opening an archive

Posted 01-17-2012 at 10:21 PM by hydraMax
Updated 01-17-2012 at 10:23 PM by hydraMax (typo)

I've personally opened hundreds (thousands?) of compressed archives -- tar, zip, and otherwise -- without even thinking of the possibility security ramifications of this action. However, extracting files (insecurely) from any archive has potentially two very dangerous effects:

1. overwriting a file that should not be overwritten
2. placing a file in a location you did not expect

These of course are most deadly in combination. The bsdtar manual page has a helpful section on security:

Code:
SECURITY
     Certain security issues are common to many archiving programs, including tar.  In particular,
     carefully-crafted archives can request that tar extract files to locations outside of the target
     directory.  This can potentially be used to cause unwitting users to overwrite files they did
     not intend to overwrite.  If the archive is being extracted by the superuser, any file on the
     system can potentially be overwritten.  There are three ways this can happen.  Although tar has
     mechanisms to protect against each one, savvy users should be aware of the implications:

     ·       Archive entries can have absolute pathnames.  By default, tar removes the leading /
             character from filenames before restoring them to guard against this problem.

     ·       Archive entries can have pathnames that include .. components.  By default, tar will not
             extract files containing .. components in their pathname.

     ·       Archive entries can exploit symbolic links to restore files to other directories.  An
             archive can restore a symbolic link to another directory, then use that link to restore
             a file into that directory.  To guard against this, tar checks each extracted path for
             symlinks.  If the final path element is a symlink, it will be removed and replaced with
             the archive entry.  If -U is specified, any intermediate symlink will also be uncondi‐
             tionally removed.  If neither -U nor -P is specified, tar will refuse to extract the
             entry.
     To protect yourself, you should be wary of any archives that come from untrusted sources.  You
     should examine the contents of an archive with
           tar -tf filename
     before extraction.  You should use the -k option to ensure that tar will not overwrite any
     existing files or the -U option to remove any pre-existing files.  You should generally not
     extract archives while running with super-user privileges.  Note that the -P option to tar dis‐
     ables the security checks above and allows you to extract an archive while preserving any abso‐
     lute pathnames, .. components, or symlinks to other directories.
Interestingly enough, there is no SECURITY discussion section in the manual page for GNU Tar (the default tar option for Linux). However, there is a section in the info document on untrusted sources:

Code:
2.8.4 Extracting Archives from Untrusted Sources
------------------------------------------------

Extracting files from archives can overwrite files that already exist.
If you receive an archive from an untrusted source, you should make a
new directory and extract into that directory, so that you don't have
to worry about the extraction overwriting one of your existing files.
For example, if `untrusted.tar' came from somewhere else on the
Internet, and you don't necessarily trust its contents, you can extract
it as follows:

     $ mkdir newdir
     $ cd newdir
     $ tar -xvf ../untrusted.tar

   It is also a good practice to examine contents of the archive before
extracting it, using `--list' (`-t') option, possibly combined with
`--verbose' (`-v').
Furthermore, the info document indicates that

Code:
By default, GNU `tar' drops a leading `/' on input or output, and
complains about file names containing a `..' component.  There is an
option that turns off this behavior:

`--absolute-names'
`-P'
     Do not strip leading slashes from file names, and permit file names
     containing a `..' file name component.
It is not clear to me exactly what kind of protections GNU Tar uses when extracting entries that are or contain symbolic links, though symbolic links can be dereferenced during archive creation. (Which is not relevant to our discussion.) The GNU Tar manual has this paragraph:

Quote:
Some people argue that GNU tar should not hesitate to overwrite files with other files when extracting. When extracting a tar archive, they expect to see a faithful copy of the state of the file system when the archive was created. It is debatable that this would always be a proper behavior. For example, suppose one has an archive in which ‘usr/local’ is a link to ‘usr/local2’. Since then, maybe the site removed the link and renamed the whole hierarchy from ‘/usr/local2’ to ‘/usr/local’. Such things happen all the time. I guess it would not be welcome at all that GNU tar removes the whole hierarchy just to make room for the link to be reinstated (unless it also simultaneously restores the full ‘/usr/local2’, of course!) GNU tar is indeed able to remove a whole hierarchy to reestablish a symbolic link, for example, but only if ‘--recursive-unlink’ is specified to allow this behavior. In any case, single files are silently removed.
Both GNU Tar and BSD Tar have a -k option to prevent files from being overwritten.

Anyway, now I have a few more thing to think about next time I open a tarball or a ZIP package.
Posted in Uncategorized
Views 289 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 01:07 PM.

Main Menu

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration