Solved

After interesting/insightful inputs from different users, here are the takeaways:

  • It doesn’t have some critical or dangerous impact or implications when extracted
  • It contains the tared parent folder (see below for some neat tricks)
  • It only overwrites the owner/permission if ./ itself is included in the tar file as a directory.
  • Tarbombs are specially crafted tar archives with absolute paths / (by default (GNU) tar strips absolute paths and will throw a warning except if used with a special option –absolute-names or -P)
  • Interesting read: Path-traversal vulnerability (../)

Some neat trick I learned from the post

Temporarily created subshell with its own environment:

Let’s say you’re in the home directory that’s called /home/joe. You could go something like:

> (cd bin && pwd) && pwd
/home/joe/bin
/home/joe

source

Exclude parent folder and ./ ./file from tar

There are probably a lot of different ways to achieve that expected goal:

(cd mydir/ && tar -czvf mydir.tgz *)

find mydir/ -printf "%P\n" | tar -czf mytar.tgz --no-recursion -C mydir/ -T - source


The absolute path could overwrite my directory structure (tarbomb) source Will overwrite permission/owner to the current directory if extracted. source

I’m sorry if my question wasn’t clear enough, I’m really doing my best to be as comprehensible as possible :/


Hi everyone !

I’m playing a bit around with tar to understand how it works under the hood. While poking around and searching through the web I couldn’t find an actual answer, on what are the implication of ./ and ./file structure in the tar archive.

Output 1

sudo find ./testar -maxdepth 1 -type d,f -printf "%P\n" | sudo tar -czvf ./xtractar/tar1/testbackup1.tgz -C ./testar -T -
#output
> tar tf tar1/testbackup1.tgz 

text.tz
test
my
file.txt
.testzero
test01/
test01/never.xml
test01/file.exe
test01/file.tar
test01/files
test01/.testfiles
My test folder.txt

Output 2

sudo find ./testar -maxdepth 1 -type d,f  | sudo tar -czvf ./xtractar/tar2/testbackup2.tgz -C ./testar -T -
#output
>tar tf tar2/testbackup2.tgz

./testar/
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt
./testar/text.tz
./testar/test
./testar/my
./testar/file.txt
./testar/.testzero
./testar/test01/
./testar/test01/never.xml
./testar/test01/file.exe
./testar/test01/file.tar
./testar/test01/files
./testar/test01/.testfiles
./testar/My test folder.txt

The outputs are clearly different and if I extract them both the only difference I see is that the second outputs the parent folder. But reading here and here this is not a good solution? But nobody actually says why?

Has anyone a good explanation why the second way is bad practice? Or not recommended?

Thank you :)

  • FigMcLargeHuge
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    9 months ago

    You probably want to step back and look at the output of your find command. That is where your difference is coming from. The printf is giving you just the files, while the non-printf line is giving you the folder name first. When I am usually doing something like this, I will send the output of the find command to a file, and then use that file as the input for the tar command. That gives me a chance to take a look at the files that are going to be tarred up. In output 2, you are getting your base folder included in the tar file, which as you have noticed, you may or may not want. You are also getting different data as you have -maxdepth=1 on your find command.

    Edit: So I may not have explained what you were asking about. The implication here is that you will have to be careful where you untar this file based on whether or not you want your “testar” folder laid down when it’s untarred. I noticed that you are also getting duplicates in your output 2 tar file, because you are feeding it the folder, and then the folder contents. So it tars up the folder and then you come after that and feed it the files contained in the folders.

    • N0x0n@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Thank you ! Your edit is related to what’s called a tarbomb. I also found out that it will overwrite the owner and permission to the current directory… Very odd behavior ! source

      I noticed that you are also getting duplicates in your output 2 tar file, because you are feeding it the folder, and then the folder contents. 
      

      Haha, that was only an example xD to get context. My english is not that good, so I have to somehow show what I mean.

      • FigMcLargeHuge
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        No problem. Again, I wouldn’t feed tar output from a find command when you are getting all files and folders (-type d,f). Just let tar go grab everything on it’s own. If you need to feed it a list of files, use find to export the list, and then check it before you let tar run on that output. Just my two cents.

        • N0x0n@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          9 months ago

          Thanks ! I changed that specific point my command looks way cleaner now ! But I still use the find command to extract the names with -printf "%P\n" to tar only the files without the parent folder and ./ ./files. I prefere it that way, it looks cleaner. But -type d,f is useless !

          use find to export the list, and then check it before you let tar run on that output

          This seems a more secure way of doing things. Do you have any personal experience with piped tar commands that back slashed and put your system at risk?

          Edit: I just found an easier way… (cd testar/ && tar -czvf ../mydir.tgz {*,.*}) Which includes hidden files without parent folder and ./ !

          • FigMcLargeHuge
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            Do you have any personal experience with piped tar commands that back slashed and put your system at risk?

            No, I do not. I never even thought of piping output to a tar command, and I have been using tar so long that I have run the command on an actual tape archive. I use the -T option quite a bit, but I always test the input file before ever running the command. If I don’t generate the list of files and use -T, then I just let tar do the file selection.