Bug#144571: dpkg-source invokes tar without --no-same-owner
Package: dpkg-dev
Version: 1.9.20
Hi,
when extracting tar files, --no-same-owner is the default for everyone
except root. This means that dpkg-source -x used as root will produce
more or less random uids/gids on the files and directories it extracts.
ulysses:/pngtest# /usr/bin/dpkg-source~ -x libpng_1.0.12-3.dsc
dpkg-source~: extracting libpng in libpng-1.0.12
ulysses:/pngtest# ls -ld libpng-1.0.12
drwxr-xr-x 6 620 96 4096 26. Apr 02:26 libpng-1.0.12/
This is obviously bad. The below patch fixes that, it has the problem
however that it requires GNU tar. This might be a problem for the BSD
people. However, the only more portable solution would be to create a
directory only accessible by root, extracting there, and then do a
chown -R root.root (the intermediate directory is necessary to protect the
files from the random user like 620 above while unpacking).
The severity of this bug is arguably grave, as it is a potential
security leak, if root isn't extremely careful when using dpkg-source (eg,
using a protected directory to build in itself etc). However, for me the
aspect that the uids/gids are bogus is much more important than the
potential security leak (as it leads to packages containing files with those
ids on the Hurd, which is indeed another bug).
I will also look into why tar thinks it should create files with those funny
numbers in the first place. However, even when this is fixed dpkg-source
needs this change, as the user/group name in the tar file could match a system
account name by accident.
Thanks,
Marcus
2002-04-26 Marcus Brinkmann <brinkmd@debian.org>
* scripts/dpkg-source.pl: Invoke tar with --no-same-owner to fix ids
when unpacking as root.
--- dpkg-source.pl~ Sun Mar 17 10:54:01 2002
+++ dpkg-source.pl Fri Apr 26 02:22:13 2002
@@ -963,7 +963,7 @@
open(STDIN,"<&GZIP") || &syserr("reopen gzip for tar -xkf -");
&cpiostderr;
chdir("$dirchdir") || &syserr("cannot chdir to \`$dirchdir' for tar extract");
- exec('tar','-xkf','-'); &syserr("exec tar -xkf -");
+ exec('tar','--no-same-owner','-xkf','-'); &syserr("exec tar -xkf -");
}
close(GZIP);
$c2 == waitpid($c2,0) || &syserr("wait for tar -xkf -");
--
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann GNU http://www.gnu.org marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de
--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: