Next: Dealing with Live Untrusted Data, Previous: Privacy, Up: Security [Contents][Index]
When creating archives, take care that they are not writable by a untrusted user; otherwise, that user could modify the archive, and when you later extract from the archive you will get incorrect data.
When tar extracts from an archive, by default it writes into
files relative to the working directory. If the archive was generated
by an untrusted user, that user therefore can write into any file
under the working directory. When extracting from an
untrusted archive, it is therefore good practice to create an empty
directory and run tar in that directory. You can use the
--directory (-C) option to specify the working
directory (see Changing the Working Directory).
When extracting from an archive, tar by default rejects attempts to
modify files outside the working directory.
For example, if a symbolic link points outside the working directory,
tar refuses to follow the link, regardless of whether the
symbolic link existed before tar was run.
Therefore, when extracting from two or more untrusted archives,
each one can be extracted in turn, into the same initially-empty directory.
Even if an earlier archive creates a symbolic link that
points outside the working directory,
tar will reject any later attempts to follow that symbolic link.
However, this safety mechanism applies only to tar itself:
it does not apply to other programs you may run later, which will
ordinarily follow symbolic links even if they escape the working directory.
If you use the --absolute-names (-P) option when
extracting, tar respects any file names in the archive, even
file names that begin with ‘/’, contain ‘..’, or that follow
a symbolic link to escape the extraction directory.
If you use the --dereference (-h) option when extracting,
tar follows any existing symbolic link that is the last component of
a file name, even if that link escapes the extraction directory.
These two options should be used only for trusted archives, as they
can let an archive overwrite any file in your system that you can owrite.
Conversely, with the --keep-old-files (-k) and
--skip-old-files options, tar refuses to replace
existing files when extracting. The difference between the two
options is that the former treats existing files as errors whereas the
latter just silently ignores them.
Finally, with the --no-overwrite-dir option, tar
refuses to replace the permissions or ownership of already-existing
directories. These options may help when extracting from untrusted
archives.
Next: Dealing with Live Untrusted Data, Previous: Privacy, Up: Security [Contents][Index]