Info Catalog tar: Integrity tar: Security tar: Security rules of thumb

tar: Live untrusted data

1 
1 10.2.3 Dealing with Live Untrusted Data
1 ---------------------------------------
1 
1 Extra care is required when creating from or extracting into a file
1 system that is accessible to untrusted users.  For example, superusers
1 who invoke 'tar' must be wary about its actions being hijacked by an
1 adversary who is reading or writing the file system at the same time
1 that 'tar' is operating.
1 
1    When creating an archive from a live file system, 'tar' is vulnerable
1 to denial-of-service attacks.  For example, an adversarial user could
1 create the illusion of an indefinitely-deep directory hierarchy
1 'd/e/f/g/...' by creating directories one step ahead of 'tar', or the
1 illusion of an indefinitely-long file by creating a sparse file but
1 arranging for blocks to be allocated just before 'tar' reads them.
1 There is no easy way for 'tar' to distinguish these scenarios from
1 legitimate uses, so you may need to monitor 'tar', just as you'd need to
1 monitor any other system service, to detect such attacks.
1 
1    While a superuser is extracting from an archive into a live file
1 system, an untrusted user might replace a directory with a symbolic
1 link, in hopes that 'tar' will follow the symbolic link and extract data
1 into files that the untrusted user does not have access to.  Even if the
1 archive was generated by the superuser, it may contain a file such as
1 'd/etc/passwd' that the untrusted user earlier created in order to break
1 in; if the untrusted user replaces the directory 'd/etc' with a symbolic
1 link to '/etc' while 'tar' is running, 'tar' will overwrite
1 '/etc/passwd'.  This attack can be prevented by extracting into a
1 directory that is inaccessible to untrusted users.
1 
1    Similar attacks via symbolic links are also possible when creating an
1 archive, if the untrusted user can modify an ancestor of a top-level
1 argument of 'tar'.  For example, an untrusted user that can modify
1 '/home/eve' can hijack a running instance of 'tar -cf -
1 /home/eve/Documents/yesterday' by replacing '/home/eve/Documents' with a
1 symbolic link to some other location.  Attacks like these can be
1 prevented by making sure that untrusted users cannot modify any files
1 that are top-level arguments to 'tar', or any ancestor directories of
1 these files.
1
Info Catalog tar: Integrity tar: Security tar: Security rules of thumb