Timeline for How do I securely extract an untrusted tar file?
Current License: CC BY-SA 3.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 17, 2016 at 16:43 | comment | added | Thomas | You might also want to inspect what's inside the tar file by using the -t option. | |
| Apr 17, 2016 at 15:10 | comment | added | Joshua | @OrangeDog: int main(int argc, char **argv){chroot(".") || exit(1); setuid(getuid()); is easy to audit. | |
| Apr 17, 2016 at 13:51 | history | edited | muru | CC BY-SA 3.0 | deleted 2 characters in body |
| Apr 17, 2016 at 9:03 | comment | added | OrangeDog | @Joshua so your solution to make a very widely-tested utility more secure was to make your own version and give it root privileges? | |
| Apr 17, 2016 at 5:30 | history | tweeted | twitter.com/StackUnix/status/721571497853247490 | ||
| Apr 17, 2016 at 3:14 | comment | added | Joshua | It's not paranoid enough. I constructed some nasty tarballs in the past that ascended via symbolic links that it created. I ended up making my own tar that was setuid-root so it could execute chroot(".") and drop privileges. | |
| Apr 17, 2016 at 1:32 | answer | added | Andrew Henle | timeline score: 6 | |
| Apr 16, 2016 at 23:33 | vote | accept | Demi | ||
| Apr 16, 2016 at 22:51 | answer | added | Gilles 'SO- stop being evil' | timeline score: 21 | |
| Apr 16, 2016 at 22:48 | answer | added | Warren Young | timeline score: 40 | |
| Apr 16, 2016 at 22:21 | review | First posts | |||
| Apr 16, 2016 at 22:22 | |||||
| Apr 16, 2016 at 22:20 | history | asked | Demi | CC BY-SA 3.0 |