Solved
After interesting/insightful inputs from different users, here are the takeaways:
- It doesn’t have some critical or dangerous impact or implications when extracted
- It contains the tared parent folder (see below for some neat tricks)
- It only overwrites the owner/permission if
./
itself is included in the tar file as a directory. - Tarbombs are specially crafted tar archives with absolute paths
/
(by default (GNU) tar strips absolute paths and will throw a warning except if used with a special option–absolute-names or -P
) - Interesting read: Path-traversal vulnerability (
../
)
Some neat trick I learned from the post
Temporarily created subshell with its own environment:
Let’s say you’re in the home directory that’s called /home/joe. You could go something like:
> (cd bin && pwd) && pwd
/home/joe/bin
/home/joe
Exclude parent folder and ./
./file
from tar
There are probably a lot of different ways to achieve that expected goal:
(cd mydir/ && tar -czvf mydir.tgz *)
find mydir/ -printf "%P\n" | tar -czf mytar.tgz --no-recursion -C mydir/ -T -
source
The absolute path could overwrite my directory structure (tarbomb) source
Will overwrite permission/owner to the current directory if extracted. source
I’m sorry if my question wasn’t clear enough, I’m really doing my best to be as comprehensible as possible :/
Hi everyone !
I’m playing a bit around with tar to understand how it works under the hood. While poking around and searching through the web I couldn’t find an actual answer, on what are the implication of ./
and ./file
structure in the tar archive.
Output 1
sudo find ./testar -maxdepth 1 -type d,f -printf "%P\n" | sudo tar -czvf ./xtractar/tar1/testbackup1.tgz -C ./testar -T -
#output
> tar tf tar1/testbackup1.tgz
text.tz
test
my
file.txt
.testzero
test01/
test01/never.xml
test01/file.exe
test01/file.tar
test01/files
test01/.testfiles
My test folder.txt
Output 2
sudo find ./testar -maxdepth 1 -type d,f | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -
#output
>tar tf tar2/testbackup2.tgz
./testar/
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
The outputs are clearly different and if I extract them both the only difference I see is that the second outputs the parent folder. But reading here and here this is not a good solution? But nobody actually says why?
Has anyone a good explanation why the second way is bad practice? Or not recommended?
Thank you :)
You’re right :) In my current example it’s probably “harmless” if extracted properly in a separated folder. Maybe I do not understand how it works (please educate me :)) but if my tar contains the following folder
./home/user/
and I extract it in my current home folder (which would be kinda stupid but It happens) this will overwrite the home folder (which is the principle of a tarbomb? mess up and overwrite directories?).There’s still another odd behavior with
./
! When extracted it will overwrite the permission/owner to the current directory sourceNo it will not. It will extract your files to
/home/user/home/user
, so a nested home directory inside your home directory (yo dawg).The man page section you quote is about absolute paths. That is, paths that start with a
/
without a leading dot. They indeed can be dangerous, but by default (GNU) tar strips absolute paths and will throw a warning like:# tar -cf test.tar /etc/hosts ^leading slash tar: Removing leading `/' from member names # tar -tvf test.tar -rw-r--r-- root/root 184 2022-12-08 20:27 etc/hosts ^no leading slash
Thank you very much for the clarification ! That’s exactly the kind of input I was looking for ! I tried it out and your absolutely right ! I will edit my post.
Thanks after a long sleep I edited my post to avoid misinformation and errors due of my lacked knowledge ! Thanks for your time and clarifications on that specific point !
You’re welcome!
Only if
./
itself is included in the tar file as a directory.