Next: , Previous: , Up: Security   [Contents][Index]


10.2.2 Integrity

When creating archives, take care that they are not writable by a untrusted user; otherwise, that user could modify the archive, and when you later extract from the archive you will get incorrect data.

When tar extracts from an archive, by default it writes into files relative to the working directory. If the archive was generated by an untrusted user, that user therefore can write into any file under the working directory. When extracting from an untrusted archive, it is therefore good practice to create an empty directory and run tar in that directory. You can use the --directory (-C) option to specify the working directory (see Changing the Working Directory).

When extracting from an archive, tar by default rejects attempts to modify files outside the working directory. For example, if a symbolic link points outside the working directory, tar refuses to follow the link, regardless of whether the symbolic link existed before tar was run. Therefore, when extracting from two or more untrusted archives, each one can be extracted in turn, into the same initially-empty directory. Even if an earlier archive creates a symbolic link that points outside the working directory, tar will reject any later attempts to follow that symbolic link. However, this safety mechanism applies only to tar itself: it does not apply to other programs you may run later, which will ordinarily follow symbolic links even if they escape the working directory.

If you use the --absolute-names (-P) option when extracting, tar respects any file names in the archive, even file names that begin with ‘/’, contain ‘..’, or that follow a symbolic link to escape the extraction directory. If you use the --dereference (-h) option when extracting, tar follows any existing symbolic link that is the last component of a file name, even if that link escapes the extraction directory. These two options should be used only for trusted archives, as they can let an archive overwrite any file in your system that you can owrite.

Conversely, with the --keep-old-files (-k) and --skip-old-files options, tar refuses to replace existing files when extracting. The difference between the two options is that the former treats existing files as errors whereas the latter just silently ignores them.

Finally, with the --no-overwrite-dir option, tar refuses to replace the permissions or ownership of already-existing directories. These options may help when extracting from untrusted archives.


Next: Dealing with Live Untrusted Data, Previous: Privacy, Up: Security   [Contents][Index]