| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
Extra care is required when creating from or extracting into a file
system that is accessible to untrusted users. For example, superusers
who invoke tar must be wary about its actions being hijacked
by an adversary who is reading or writing the file system at the same
time that tar is operating.
When creating an archive from a live file system, tar is
vulnerable to denial-of-service attacks. For example, an adversarial
user could create the illusion of an indefinitely-deep directory
hierarchy ‘d/e/f/g/...’ by creating directories one step ahead of
tar, or the illusion of an indefinitely-long file by
creating a sparse file but arranging for blocks to be allocated just
before tar reads them. There is no easy way for
tar to distinguish these scenarios from legitimate uses, so
you may need to monitor tar, just as you’d need to monitor
any other system service, to detect such attacks.
While a superuser is extracting from an archive into a live file
system, an untrusted user might replace a directory with a symbolic
link, in hopes that tar will follow the symbolic link and
extract data into files that the untrusted user does not have access
to. Even if the archive was generated by the superuser, it may
contain a file such as ‘d/etc/passwd’ that the untrusted user
earlier created in order to break in; if the untrusted user replaces
the directory ‘d/etc’ with a symbolic link to ‘/etc’ while
tar is running, tar will overwrite
‘/etc/passwd’. This attack can be prevented by extracting into a
directory that is inaccessible to untrusted users.
Similar attacks via symbolic links are also possible when creating an
archive, if the untrusted user can modify an ancestor of a top-level
argument of tar. For example, an untrusted user that can
modify ‘/home/eve’ can hijack a running instance of ‘tar -cf
- /home/eve/Documents/yesterday’ by replacing
‘/home/eve/Documents’ with a symbolic link to some other
location. Attacks like these can be prevented by making sure that
untrusted users cannot modify any files that are top-level arguments
to tar, or any ancestor directories of these files.
| [ << ] | [ < ] | [ Up ] | [ > ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
This document was generated on August 23, 2023 using texi2html 5.0.