GNU tar 1.34: 10.2.4 Security Rules of Thumb

10.2.4 Security Rules of Thumb

This section briefly summarizes rules of thumb for avoiding security pitfalls.

• Protect archives at least as much as you protect any of the files being archived.
• Extract from an untrusted archive only into an otherwise-empty directory. This directory and its parent should be accessible only to trusted users. For example: $ chmod go-rwx . $ mkdir -m go-rwx dir $ cd dir $ tar -xvf /archives/got-it-off-the-net.tar.gz As a corollary, do not do an incremental restore from an untrusted archive.
• Do not let untrusted users access files extracted from untrusted archives without checking first for problems such as setuid programs.
• Do not let untrusted users modify directories that are ancestors of top-level arguments of tar. For example, while you are executing ‘tar -cf /archive/u-home.tar /u/home’, do not let an untrusted user modify ‘/’, ‘/archive’, or ‘/u’.
• Pay attention to the diagnostics and exit status of tar.
• When archiving live file systems, monitor running instances of tar to detect denial-of-service attacks.
• Avoid unusual options such as ‘--absolute-names’ (‘-P’), ‘--dereference’ (‘-h’), ‘--overwrite’, ‘--recursive-unlink’, and ‘--remove-files’ unless you understand their security implications.

This document was generated on March 24, 2021 using texi2html 5.0.