Solved
After interesting/insightful inputs from different users, here are the takeaways:
- It doesn’t have some critical or dangerous impact or implications when extracted
- It contains the tared parent folder (see below for some neat tricks)
- It only overwrites the owner/permission if
./itself is included in the tar file as a directory. - Tarbombs are specially crafted tar archives with absolute paths
/(by default (GNU) tar strips absolute paths and will throw a warning except if used with a special option–absolute-names or -P) - Interesting read: Path-traversal vulnerability (
../)
Some neat trick I learned from the post
Temporarily created subshell with its own environment:
Let’s say you’re in the home directory that’s called /home/joe. You could go something like:
> (cd bin && pwd) && pwd
/home/joe/bin
/home/joe
Exclude parent folder and ./ ./file from tar
There are probably a lot of different ways to achieve that expected goal:
(cd mydir/ && tar -czvf mydir.tgz *)
find mydir/ -printf "%P\n" | tar -czf mytar.tgz --no-recursion -C mydir/ -T -
source
The absolute path could overwrite my directory structure (tarbomb) source
Will overwrite permission/owner to the current directory if extracted. source
I’m sorry if my question wasn’t clear enough, I’m really doing my best to be as comprehensible as possible :/
Hi everyone !
I’m playing a bit around with tar to understand how it works under the hood. While poking around and searching through the web I couldn’t find an actual answer, on what are the implication of ./ and ./file structure in the tar archive.
Output 1
sudo find ./testar -maxdepth 1 -type d,f -printf "%P\n" | sudo tar -czvf ./xtractar/tar1/testbackup1.tgz -C ./testar -T -
#output
> tar tf tar1/testbackup1.tgz
text.tz
test
my
file.txt
.testzero
test01/
test01/never.xml
test01/file.exe
test01/file.tar
test01/files
test01/.testfiles
My test folder.txt
Output 2
sudo find ./testar -maxdepth 1 -type d,f | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -
#output
>tar tf tar2/testbackup2.tgz
./testar/
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
The outputs are clearly different and if I extract them both the only difference I see is that the second outputs the parent folder. But reading here and here this is not a good solution? But nobody actually says why?
Has anyone a good explanation why the second way is bad practice? Or not recommended?
Thank you :)
Has anyone a good explanation why the second way is bad practice? Or not recommended?
They’re functionally the same. It’s like the difference between
mkdir somedirandmkdir ./somedir. The leading./is not necessary, so I guess you could consider it less clean, but I wouldn’t lose any sleep over it.Haha, thank you xD I think I wouldn’t lose my sleep over it, except if I tarbomb my server !! My question was probably baddly written, but this kind of structure could actually be dangerous !
this kind of structure could actually be dangerous
citation needed
I mean, tarbombs exist, but not because of the leading
./as far as I know and they’re usually specifically crafted tar files to create harm, not something you accidentally create yourself while tarring stuff.You’re right :) In my current example it’s probably “harmless” if extracted properly in a separated folder. Maybe I do not understand how it works (please educate me :)) but if my tar contains the following folder
./home/user/and I extract it in my current home folder (which would be kinda stupid but It happens) this will overwrite the home folder (which is the principle of a tarbomb? mess up and overwrite directories?).A related problem is the use of absolute paths or parent directory references when creating tar files. Files extracted from such archives will often be created in unusual locations outside the working directory and, like a tarbomb, have the potential to overwrite existing files. However, modern versions of FreeBSD and GNU tar do not create or extract absolute paths and parent-directory references by default, unless it is explicitly allowed with the flag -P or the option --absolute-names. source
There’s still another odd behavior with
./! When extracted it will overwrite the permission/owner to the current directory sourceThere’s still another odd behavior with ./ ! When extracted it will overwrite the permission/owner to the current directory source
Only if
./itself is included in the tar file as a directory.If my tar contains the following folder
./home/user/and I extract it in my current home folder (which would be kinda stupid but It happens) this will overwrite the home folderNo it will not. It will extract your files to
/home/user/home/user, so a nested home directory inside your home directory (yo dawg).The man page section you quote is about absolute paths. That is, paths that start with a
/without a leading dot. They indeed can be dangerous, but by default (GNU) tar strips absolute paths and will throw a warning like:# tar -cf test.tar /etc/hosts ^leading slash tar: Removing leading `/' from member names # tar -tvf test.tar -rw-r--r-- root/root 184 2022-12-08 20:27 etc/hosts ^no leading slashThank you very much for the clarification ! That’s exactly the kind of input I was looking for ! I tried it out and your absolutely right ! I will edit my post.
Thanks after a long sleep I edited my post to avoid misinformation and errors due of my lacked knowledge ! Thanks for your time and clarifications on that specific point !
You’re welcome!
A “tarbomb” usually refers to an archive that has multiple (often a large number) of top-level items. Traditionally a tar archive contains a single folder, which may contain more things inside of this. This can be annoying because if you do
tar -xf tarbomb.tarin your home directory (or downloads folder) you now have a bit of a mess that you need to clean up.It is a bit of a historical artifact, most archive managers will create a folder for the contents if there are multiple top-level items, and you really shouldn’t be extracting archives in directories with other files anyways as it could be a security issue (for example if there is a
.profileor.ssh/authorized_keysfile in that archive). Of coursetarwon’t protect you by default unless you pass--one-top-level.I think what you are concerned about is a path-traversal vulnerability where
tarwill write files outside of the current directory. Any moderntarshould not allow this, no matter what the archive contains.Thank you for the clarification ! That’s way most post are from 2007 and couldn’t find any recent documentation !
Will take a look at
path-traversal vulnerabilitythanks for the info !
I’m not certain, but I’m guessing it may be related to absolute versus relative file paths.
In UNIX-y systems
./is your current local directory, so if I was in/usr/home/willand I extracted your file I would expect any file that was like./foo.txtto be extracted to/usr/home/will/foo.txt, and if there were files like./testar/bar.txt, they would be extracted to a new directory/usr/home/will/testar/bar.txt– or is that not what you’re talking about?I don’t want:
my_directory --- my_file --- my_file --- my_fileI want:
my_file my_file my_fileQuoted from the question.
Yeah but that doesn’t answer my question: What’s the implication of
./in the tar file? I mean when I extract them, both seem similar but most people say it’s bad practice or not recommended but why?I know and do understand how to achieve both with and without the root folder.
Actually it’s a bad practice called the tar bomb.
Thank you, I think this is a good lead, but couldn’t find a lot of information about it. But the general gist is that it could overwrite my folder structure and mess up the filesystem (source). All sources I found are very old, does that mean that there’s some kind of protection today?
I also found out that it will extract the permission and owner to the current directory :/ so this a very odd behavior… (source).
Thank you for your answer !
I doubt there’s a perfect protection. Maybe some tar implementations asks confirmation before tar-bombing, but it then wouldn’t work for non-interactive sessions, etc.
tar overwrites permissions because tar was meant for archiving iirc. Although, there might be a command line option to change its behavior.
Perhaps, the zip command is better for your purpose. It doesn’t allow zip-bombs and perhaps doesn’t overwrite permission.
I think that since you’re piping in the file list from
find, the-C ./testarin thetarcommand is basically irrelevant? You probably need tocd ./testarbefore thefind. Maybe you could do that in a subshell so that thecddoesn’t affect yourtararchive path? So something like:(sudo cd ./testar && sudo find ./ -maxdepth 1 -type d,f) | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -T -Ok, I actually tried something like this at a terminal. You do still need the
-C ./testarif you use the subshell sincetarwon’t know where to look otherwise.(sudo cd ./testar && sudo find . -maxdepth 1 -type d,f) | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -This will still give you a listing with
./text.tzand so on becausefindprints./whateverwhen you search.. I think this is harmless? But I suppose you could remove them if it bothers you.(sudo cd ./testar && sudo find . -maxdepth 1 -type d,f) | cut -c3- | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -Thank you for testing it out and give some nice insights on how to improve the command. Just curious what’s about the parenthesis
(sudo cd ./testar && sudo find . -maxdepth 1 -type d,f)? I have never seen a command structured like that !Regarding my question, someone lead me to the right direction. This could overwrite my actual folder structure (tarbomb) depending on where it’s extracted and the absolute path in the tar. It will also extract the permission and ownership to the current directory… source
The commands within the parentheses run in a temporarily created subshell with its own environment. So you can change the working directory within it and it won’t effect your main shell’s working directory.
Let’s say you’re in the home directory that’s called
/home/joe. You could go something like:> (cd bin && pwd) && pwd /home/joe/bin /home/joeIf
findhad something equivalent totar -C, you wouldn’t need to do this, but I don’t think it does?Thank youuu !! I learned something really interesting !!! :)
(sudo cd ./testar && sudo find . -maxdepth 1 -type d,f) | cut -c3- | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -So, you’re trying to
sudo cd? :P I tried a hacky way I found on superuser.comsudo sh -c 'cd dirname'doesn’t work -_- !Thank you very much :))) The cut -c3- is a nice alternative !!
Oh yeah, that’s another way to make a subshell. But don’t forget to stick the
findin there also:sudo sh -c 'cd ./testar && find . -maxdepth 1 -type d,f' | ...