On 2025-11-06 12:25, Pavel Cahyna wrote:
it is not clear why to use two ways
of setting (getting) the attributes. Would it work if the caller
(set_stat()) always opened the file provided and passed down just the fd,
Not always, because the caller can't always open the file. It might be a
special file that is a device, for example, which you don't want to open
except maybe with O_PATH, and in that case fchown might not work. And on
non-GNU platforms you don't even have O_PATH. It's quite a mess.
Anyway, I finished my approach to working around this evidently-common
user security blunder, and installed it on Savannah. The main fix is here:
https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=75b03fdff48916bd0654677ed21379bdb0db016d
... but you can't apply this patch in isolation; you need a bunch of
other patches that I also installed. Please give it a try, which you can
do by running something like this:
git clone https://https.git.savannah.gnu.org/git/tar.git
cd tar
./bootstrap
./configure
make check
