From xemacs-m  Wed Apr  2 21:48:25 1997
Received: from wmperry.in.aventail.com (root@wmperry.oz.net [207.13.185.53])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id VAA06492
	for <xemacs-beta@xemacs.org>; Wed, 2 Apr 1997 21:48:23 -0600 (CST)
Received: (from wmperry@localhost) by wmperry.in.aventail.com (8.7.6/8.7.3) id RAA00359; Wed, 2 Apr 1997 17:17:44 -0800
Date: Wed, 2 Apr 1997 17:17:44 -0800
Message-Id: <199704030117.RAA00359@wmperry.in.aventail.com>
From: "William M. Perry" <wmperry@aventail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Steven L Baur <steve@miranova.com>
Cc: xemacs-beta@xemacs.org
Subject: Re: A security hole during XEmacs installation
In-Reply-To: <m2u3lqtesy.fsf@altair.xemacs.org>
References: <kig7mipznnu.fsf@jagor.srce.hr>
	<m2raguibri.fsf@altair.xemacs.org>
	<199704012241.OAA06912@newman>
	<m2u3lqtesy.fsf@altair.xemacs.org>
X-Mailer: VM 6.22 under Emacs 19.34.1
Errors-to: wmperry@aventail.com
Reply-to: wmperry@aventail.com
X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7</SYF`{vYQ(&RI1&EiH[FvT;J}@f!4kfz
 x_!Y#=y{Uuj9GvUi=cPuajQ(Z42R[wE@{G,sn$qGr5g/wnb*"*ktI+,CD}1Z'wxrM2ag-r0p5I6\nA
 [WJopW_J.WY;

Steven L Baur writes:
>William M Perry writes:
>
>>   Give up.  I tried to do this for our web server install at spry ages
>> ago.  Resistance is futile.  Actually _GNU TAR_ doesn't have a way to turn
>> this behaviour _OFF_.
>
>> --same-owner is the default, and there is no switch
>> to turn it off.
>
>That proves not to be the case, at least with the version of GNU Tar I 
>have installed (1.11.8).

  It seems to be the default on my linux box.

[root@wmperry /tmp]# tar xf foo.tar
[root@wmperry /tmp]# ls -alFR html
total 110
drwxr-xr-x   2 wmperry  wmperry      1024 Mar  7 07:49 ./
drwxrwxrwt   5 root     root         1024 Apr  2 06:10 ../
-rwxr-xr-x   1 wmperry  wmperry     53714 Mar  7 07:42 texi2html*
-r--r--r--   1 wmperry  wmperry     53781 Feb 19 16:58 texi2html,v
[root@wmperry /tmp]# rm -fr html
[root@wmperry /tmp]# tar xf foo.tar --same-owner
[root@wmperry /tmp]# ls -alFR html
total 110
drwxr-xr-x   2 wmperry  wmperry      1024 Mar  7 07:49 ./
drwxrwxrwt   5 root     root         1024 Apr  2 06:10 ../
-rwxr-xr-x   1 wmperry  wmperry     53714 Mar  7 07:42 texi2html*
-r--r--r--   1 wmperry  wmperry     53781 Feb 19 16:58 texi2html,v
[root@wmperry /tmp]#tar --version
GNU tar 1.11.8
[root@wmperry /tmp]#

  How are you supposed to turn that off?

>>   Best bet would be to: chown -R `whoami` lisp
>
>>   ??  But that doesn't deal with group crap.
>
>And it doesn't work on systems that don't implement the -R flag in chown.

  Great.  Repeat after me: we all love unix.

-Bill P.

