Bug#144571: dpkg-source invokes tar without --no-same-owner

To: submit@bugs.debian.org
Subject: Bug#144571: dpkg-source invokes tar without --no-same-owner
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Fri, 26 Apr 2002 02:41:27 +0200
Message-id: <[🔎] 20020426004127.GD669@212.23.136.22>
Reply-to: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>, 144571@bugs.debian.org

Package: dpkg-dev
Version: 1.9.20

Hi,

when extracting tar files, --no-same-owner is the default for everyone
except root.  This means that dpkg-source -x used as root will produce
more or less random uids/gids on the files and directories it extracts.

ulysses:/pngtest# /usr/bin/dpkg-source~ -x libpng_1.0.12-3.dsc
dpkg-source~: extracting libpng in libpng-1.0.12
ulysses:/pngtest# ls -ld libpng-1.0.12
drwxr-xr-x    6 620      96           4096 26. Apr 02:26 libpng-1.0.12/

This is obviously bad.  The below patch fixes that, it has the problem
however that it requires GNU tar.  This might be a problem for the BSD
people.  However, the only more portable solution would be to create a
directory only accessible by root, extracting there, and then do a
chown -R root.root (the intermediate directory is necessary to protect the
files from the random user like 620 above while unpacking).

The severity of this bug is arguably grave, as it is a potential
security leak, if root isn't extremely careful when using dpkg-source (eg,
using a protected directory to build in itself etc).  However, for me the
aspect that the uids/gids are bogus is much more important than the
potential security leak (as it leads to packages containing files with those
ids on the Hurd, which is indeed another bug).

I will also look into why tar thinks it should create files with those funny
numbers in the first place.  However, even when this is fixed dpkg-source
needs this change, as the user/group name in the tar file could match a system
account name by accident.

Thanks,
Marcus

2002-04-26  Marcus Brinkmann <brinkmd@debian.org>

	* scripts/dpkg-source.pl: Invoke tar with --no-same-owner to fix ids
	when unpacking as root.

--- dpkg-source.pl~	Sun Mar 17 10:54:01 2002
+++ dpkg-source.pl	Fri Apr 26 02:22:13 2002
@@ -963,7 +963,7 @@
         open(STDIN,"<&GZIP") || &syserr("reopen gzip for tar -xkf -");
         &cpiostderr;
         chdir("$dirchdir") || &syserr("cannot chdir to \`$dirchdir' for tar extract");
-        exec('tar','-xkf','-'); &syserr("exec tar -xkf -");
+        exec('tar','--no-same-owner','-xkf','-'); &syserr("exec tar -xkf -");
     }
     close(GZIP);
     $c2 == waitpid($c2,0) || &syserr("wait for tar -xkf -");


-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de


-- 
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Bug#144571: dpkg-source invokes tar without --no-same-owner
  - From: Jules Bean <jules@jellybean.co.uk>

Prev by Date: Processed: Reassigning Bug#143701
Next by Date: Bug#144571: dpkg-source invokes tar without --no-same-owner
Previous by thread: Processed: Reassigning Bug#143701
Next by thread: Bug#144571: dpkg-source invokes tar without --no-same-owner
Index(es):
- Date
- Thread