Solved

After interesting/insightful inputs from different users, here are the takeaways:

  • It doesn’t have some critical or dangerous impact or implications when extracted
  • It contains the tared parent folder (see below for some neat tricks)
  • It only overwrites the owner/permission if ./ itself is included in the tar file as a directory.
  • Tarbombs are specially crafted tar archives with absolute paths / (by default (GNU) tar strips absolute paths and will throw a warning except if used with a special option –absolute-names or -P)
  • Interesting read: Path-traversal vulnerability (../)

Some neat trick I learned from the post

Temporarily created subshell with its own environment:

Let’s say you’re in the home directory that’s called /home/joe. You could go something like:

> (cd bin && pwd) && pwd
/home/joe/bin
/home/joe

source

Exclude parent folder and ./ ./file from tar

There are probably a lot of different ways to achieve that expected goal:

(cd mydir/ && tar -czvf mydir.tgz *)

find mydir/ -printf "%P\n" | tar -czf mytar.tgz --no-recursion -C mydir/ -T - source


The absolute path could overwrite my directory structure (tarbomb) source Will overwrite permission/owner to the current directory if extracted. source

I’m sorry if my question wasn’t clear enough, I’m really doing my best to be as comprehensible as possible :/


Hi everyone !

I’m playing a bit around with tar to understand how it works under the hood. While poking around and searching through the web I couldn’t find an actual answer, on what are the implication of ./ and ./file structure in the tar archive.

Output 1

sudo find ./testar -maxdepth 1 -type d,f -printf "%P\n" | sudo tar -czvf ./xtractar/tar1/testbackup1.tgz -C ./testar -T -
#output
> tar tf tar1/testbackup1.tgz 

text.tz
test
my
file.txt
.testzero
test01/
test01/never.xml
test01/file.exe
test01/file.tar
test01/files
test01/.testfiles
My test folder.txt

Output 2

sudo find ./testar -maxdepth 1 -type d,f  | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -
#output
>tar tf tar2/testbackup2.tgz

./testar/
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt

The outputs are clearly different and if I extract them both the only difference I see is that the second outputs the parent folder. But reading here and here this is not a good solution? But nobody actually says why?

Has anyone a good explanation why the second way is bad practice? Or not recommended?

Thank you :)

  • kevincox
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    A “tarbomb” usually refers to an archive that has multiple (often a large number) of top-level items. Traditionally a tar archive contains a single folder, which may contain more things inside of this. This can be annoying because if you do tar -xf tarbomb.tar in your home directory (or downloads folder) you now have a bit of a mess that you need to clean up.

    It is a bit of a historical artifact, most archive managers will create a folder for the contents if there are multiple top-level items, and you really shouldn’t be extracting archives in directories with other files anyways as it could be a security issue (for example if there is a .profile or .ssh/authorized_keys file in that archive). Of course tar won’t protect you by default unless you pass --one-top-level.

    I think what you are concerned about is a path-traversal vulnerability where tar will write files outside of the current directory. Any modern tar should not allow this, no matter what the archive contains.

    • N0x0nOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Thank you for the clarification ! That’s way most post are from 2007 and couldn’t find any recent documentation !

      Will take a look at path-traversal vulnerability thanks for the info !