| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Spam-Check-By: | sourceware.org |
| Date: | Sun, 4 Jul 2010 13:17:10 -0400 |
| From: | Christopher Faylor <cgf-use-the-mailinglist-please AT cygwin DOT com> |
| To: | cygwin <cygwin AT cygwin DOT com> |
| Subject: | Re: tar: symlinks unpacked to empty files (tar security problem?) |
| Message-ID: | <20100704171709.GA12616@ednor.casa.cgf.cx> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin <cygwin AT cygwin DOT com> |
| References: | <1278237042 DOT 6012 DOT 15 DOT camel AT YAAKOV04> |
| MIME-Version: | 1.0 |
| In-Reply-To: | <1278237042.6012.15.camel@YAAKOV04> |
| User-Agent: | Mutt/1.5.20 (2009-06-14) |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Unsubscribe: | <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
On Sun, Jul 04, 2010 at 04:50:41AM -0500, Yaakov (Cygwin/X) wrote: >With tar-1.23-1 and recent snapshot: > >echo foo > foo >ln -s $PWD/foo bar >tar cf test.tar bar foo >rm -f bar foo >tar xf test.tar >ls -l bar foo > >You will see that 'bar' is a 0-byte file with 0000 permissions instead >of a symlink. The symlink reference need not be absolute; it also >happens with relative links in different directories, but does not >happen if I just "ln -s foo bar". That's because of the way that tar handles symlinks. If you have a reference to an absolute path, tar makes a zero-length regular file placeholder. Then when it is done extracting, tar is supposed to remove this file and create the real symlink. However, the test to make sure that it is ok to do this was broken by a recent DLL change. The inode returned the first time that the file was created was != the inode when the file is checked later. So tar thought that the zero-length file was modified and silently decided not to create the symlink. I've fixed the cygwin problem - it should be in the next snapshot. I think this silent behavior of tar is not too user friendly though. It seems like there is a pathological situation there where you'd end thinking that you'd extracted a symlink without getting the symlink. In fact, I think this is actually a security problem. Eric, am I missing something about tar's behavior here? cgf -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |