[BusyBox] Bug report: untarring setuid files with symbolic links to them

Ben Weintraub benwei at veriwave.com
Sun Dec 21 01:06:50 UTC 2003 

I have been experimenting with the busybox version of tar, trying to
find out why my the setuid bits on some of my files are not preserved,
while others are, and I think I have found the reason.  It appears that
setuid files that have symbolic links to them don't get their setuid bit
preserved by bb tar, while GNU tar does preserve them.  

I made a simple test case so I could see if this was really the issue. 
I have a directory with some files in it like this:
-rwsr-sr-x    1 benwei   benwei        12K Dec 20 16:44 hello
-rw-r--r--    1 benwei   benwei        111 Dec 20 16:44 hello.c
-rwsr-sr-x    1 benwei   benwei        12K Dec 20 16:56 hello2
lrwxrwxrwx    1 benwei   benwei          5 Dec 20 16:44 hithere -> hello
So as you can see, hello and hello2 are setuid executables.  hithere is
a symbolic link to hello.  hello.c is just a normal file.  I made a
makefile which creates a tar archive of this directory using the
--preserve-permissions option, and then untars it with busybox tar and
GNU tar.  Here is what happens:

mkdir ./gnutar
mkdir ./bb
tar --preserve-permissions -cvf ./dir.tar dir
dir/
dir/hello
dir/hello.c
dir/hithere
dir/hello2
tar -C ./gnutar --preserve-permissions -xvf ./dir.tar
dir/
dir/hello
dir/hello.c
dir/hithere
dir/hello2
./busybox tar -p -C ./bb -xvf ./dir.tar
dir
dir/hello
dir/hello.c
dir/hithere
dir/hello2
ls -lh ./gnutar/dir/hello
-rwsr-sr-x    1 benwei   benwei        12K Dec 20 16:44
./gnutar/dir/hello
ls -lh ./gnutar/dir/hello2
-rwsr-sr-x    1 benwei   benwei        12K Dec 20 16:56
./gnutar/dir/hello2
ls -lh ./bb/dir/hello
-rwxrwxrwx    1 benwei   benwei        12K Dec 20 16:44 ./bb/dir/hello
ls -lh ./bb/dir/hello2
-rwsr-sr-x    1 benwei   benwei        12K Dec 20 16:56 ./bb/dir/hello2

As you can see, both versions preserve the setuid bit on hello2, which
has no symbolic links to it.  However, only GNU tar preserves the setuid
bit on hello, which does have a symbolic link to it.
-- 
Ben Weintraub <benwei at veriwave.com>

More information about the busybox mailing list