Security hole in tar on Microport

[Bill Vermillion]

In article <10750 at ico.ISC.COM+ rcd at ico.ISC.COM (Dick Dunn) writes:
+In article <226 at sea375.UUCP>, dave at sea375.UUCP (David A. Wilson) writes:
+> I have a problem with using tar on microport. I created a tar floppy
+> on a system as an unpriviledged user. When I extracted the floppy on
+> another system running Microport System V/AT version 2.3 all the files
+> extracted were owned by the userid of the other system...

+                                                              The assump-
+tion is that either you're running as root and you want to restore the
+original owners OR you're not root, the chowns will all fail, and you will
+end up owning the files.

You can NOT restore the original owners of a file tar'ed from one machine and
restored on another UNLESS the password files have the same identical user
numbers in both.  tar stores the files owner/group as numbers indexed into the
password file.   If john is 245 on the extract machine and mary is 245 on the
destination, mary will be the owner.

+If the receiving user doesn't exist (e.g., restoring from a tar archive on
+another machine), root has to help you.  (You can't delete the directory,
+even if it's within a directory you can write, because it isn't empty.  You
+can't empty it because you don't own it or the file within it.)
 
And the receiving user must have the same id number on both machines.

-- 
Bill Vermillion - UUCP: {uiucuxc,hoptoad,petsd}!peora!rtmvax!bilver!bill
                      : bill at bilver.UUCP