Hello Paul, and sorry for the late reply. On Sat, Nov 15, 2025 at 03:20:17PM -0800, Paul Eggert wrote: > On 2025-11-06 12:25, Pavel Cahyna wrote: > > > it is not clear why to use two ways > > of setting (getting) the attributes. Would it work if the caller > > (set_stat()) always opened the file provided and passed down just the fd, > > Not always, because the caller can't always open the file. It might be a > special file that is a device, for example, which you don't want to open > except maybe with O_PATH, and in that case fchown might not work. And on > non-GNU platforms you don't even have O_PATH. It's quite a mess.
Oh sorry, of course - I knew that opening devices is a no-no, but I entirely forgot that tar needs to extract device special files. (And I suspect FIFOs would be another problematic case.) > Anyway, I finished my approach to working around this evidently-common user > security blunder, and installed it on Savannah. The main fix is here: > > https://cgit.git.savannah.gnu.org/cgit/tar.git/commit/?id=75b03fdff48916bd0654677ed21379bdb0db016d > > ... but you can't apply this patch in isolation; you need a bunch of other > patches that I also installed. Please give it a try, which you can do by > running something like this: > > git clone https://https.git.savannah.gnu.org/git/tar.git > cd tar > ./bootstrap > ./configure > make check Thanks for the fix! I think the fix itself is OK, according to my testing so far. But I am a bit concerned about the follow-up: "50b559c3d72163c2e7fa822f4ac9d297d91e1db3 Do not create empty placeholder files". The "extract symlinks last" feature implemented by the removed placeholder files code looks like an useful safety net to me, althouth arguably complicated. I don't think that the use of openat2 fully replaces it, as openat2 protects only from symlinks as intermediate directories during path resolution and not from symlinks as the final pathname components. This leads to a perhaps surprising change in behavior that if --dereference is used, an archive can cause a change of metadata of any directory on the system, even if -P is not used and one extracts into an empty directory. Consider an archive that contains a directory symlink to let's say ../../../bin and then a directory of the same name as the symlink with a mode of 0777. Extracting the archive with --dereference at a suitable empty directory in the hierarchy would cause the permissions of /bin to be overwritten. Same problem exists even for files if --dereference and --overwrite are given together: it is possible to overwrite file content outside the extraction directory. I know that --dereference is rather nonstandard, but still it is a bit worrying to see the protection offered so far by the basic security rules (extract into an empty directory and do not use -P) being reduced. Was this the intent? I don't see it mentioned in the docs accompanying the change. Moreover, this feature looks like it could potentially offer protection in some other edge cases - for example the protection of setting attributes from symlink attacks seems to rely on the AT_SYMLINK_NOFOLLOW flag, which is not implemented on Linux and emulated in Gnulib and I wonder if the emulation is 100% safe in all cases, but admittedly I have not investigated that in detail. Best regards, Pavel
