| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
NOTE: dpath requires a fairly new kernel
ok semarie
|
|
ok deraadt, mmcc, tedu
|
|
ok guenther@, deraadt@
|
|
(gzip, compress, bzip2) rather than following the user's path. This
seems easier than hardcoding the paths elsewhere and using basename().
pax/tar is pledged itself, but it can spawn one of these programs if
asked. The three found at the strict path use pledge "stdio" very early
during startup, providing a warm fuzzy pledge->exec->no-pledge->pledge
interlock. For bzip2, this assumes use of the ports/packages version
installed to /usr/local/bin, which has been pledged by sthen@.
Doing a 'tar tvfz hostile.tgz' becomes a bit safer, since an attacker
finding a buffer overflow or use after free has significantly fewer
system calls available (only pledge "stdio" in the decompressor).
ok millert sthen
|
|
shouldn't do things with filesystem.
ok deraadt@ millert@
|
|
A pledged program is not allowed to change user/group for others.
"I think that makes the most sense" @sthen
|
|
Otherwise, lay the groundwork for whether a gzip program may be run or not.
After such a gzip program is started, pledge the program will not exec
again. Took a few iterations to get this going... it is looking good.
with guenther.
|
|
noted by trondd(at)kagu-tsuchi.com
ok deraadt@
|
|
Some scripts and GUI ssh clients assume that tar writes to standard output by
default. This changes allows enforcing such behavior by setting TAPE="-" in
user profile.
Also, this makes parsing argument to "-f" option and contents of TAPE
environment variable consistent.
OK guenther@, jmc@ and sthen@
|
|
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert
|
|
Adjust the conditions to correct that.
ok millert@
|
|
and a basis for support of mtime and atime values in pax-format extended
header records.
ok millert@
|
|
ok millert@
|
|
|
|
pax-like -o write_opt=nodir.
ok millert@ otto@
|
|
but if you *did* succeed anyway, truncate it?
|
|
|
|
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@
|
|
like compress, gzip, bzip2, or xz output. If so then error out with
a useful message directing the user to the correct option and error
out instead of scanning forward for an embedded tar/cpio header.
wording help from sobrado@
ok millert@ deraadt@
|
|
|
|
* Prevent an archive from esacaping the current directory by itself:
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length normal file (with additional
tracking of the mode and hardlinks to the symlink) until everything
else is extracted, then go back and replace it with the requested
link (if it's still that zero-length placeholder).
* For tar without -P, if a path in the archive has any ".." components
then strip everything up to and including the last of them (if
it ends in ".." then it becomes ".")
This mostly follows GNU tar's behavior, except for 'tar tf' and
'tar xvf' we report the modified path that would be/was actually
created instead of the raw path from the archive
Above two fixes prompted by a report from Daniel Cegielka
(daniel.cegielka (at) gmail.com)
* For directories whose times or mode will be fixed up in the
clean-up pass, record their dev+ino and then use
open(O_DIRECTORY)+fstat() to verify that we're updating the correct
directory before using futimens() and fchmod().
* Correct buffer overflow in handling of pax extension headers,
caught by the memcpy() overlap check.
previously ok millert@ deraadt@
|
|
requested by deraadt@
|
|
directory listed twice with nothing created inside the directory
in between the two instances of the directory. The other fixes
extracting symlinks when the -C option is used. From guenther@
OK krw@
|
|
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length normal file (with additional
tracking of the mode and hardlinks to the symlink) until everything
else is extracted, then go back and replace it with the requested
link (if its still that zero-length placeholder).
This and previous symlink and ".." path fixes prompted by a report
from Daniel Cegielka (daniel.cegielka (at) gmail.com)
ok millert@
|
|
strip everything up to and including the last of them (if it ends in ".."
then it becomes ".")
This mostly follows GNU tar's behavior, except for 'tar tf' and 'tar xvf'
we report the modified path that was actually created instead of the raw
path from the archive
ok w/tweak millert@, deraadt@
|
|
ok millert@ deraadt@
|
|
For directories whose times or mode will be fixed up in the clean-up pass,
record their dev+ino and then use open(O_DIRECTORY)+fstat() to verify that
we're updating the correct directory before using futimens() and fchmod().
ok sthen@ millert@
|
|
restoring mode and times: ..." (and an error exit code, which breaks at least
building ports). krw@ agrees.
|
|
record their dev+ino and then use open(O_DIRECTORY)+fstat() to verify that
we're updating the correct directory before using futimens() and fchmod().
ok millert@
|
|
by the memcpy() overlap check.
ok millert@ deraadt@
|
|
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)
|
|
|
|
|
|
|
|
Eliminate a couple unneeded #includes
|
|
|
|
found with the new mandoc(1) MANDOCERR_AN_MISSING warning;
no text changes
|
|
|
|
|
|
|
|
|
|
ok guenther
|
|
argument to (char *), and malloc/calloc's return value to the type
of the variable it's being assigned to.
Convert the one calloc() where the zeroing isn't needed to a reallocarray().
ok millert@
|
|
|
|
ignoring signals when they were already ignored
ok millert@
|
|
truncated reads. Until better detection of that case can is implemented,
back out that part of rev 1.45
problem noted by sthen@
|
|
that are walked by routines called from the signal handler and use
dprintf() instead fprintf() in ar_close().
ok millert@
|
