mark functions as static when they're unused elsewhere, makes the
code slightly easier to understand.

okay and tweak kn@

Tighten pledge in List and Append mode:

Drop "wpath cpath fattr dpath" in read-only:
- cpio -i -t < test.tar
- pax < test.tar
- tar -t -f test.tar

Drop "cpath fattr dpath" in read-write:
- echo

Tighten pledge in List and Append mode:

Drop "wpath cpath fattr dpath" in read-only:
- cpio -i -t < test.tar
- pax < test.tar
- tar -t -f test.tar

Drop "cpath fattr dpath" in read-write:
- echo foo | cpio -o -A -H ustar -O test.tar
- tar -r -f test.tar foo
- pax -w -a -f test.tar foo

Other modes remain unchanged and thus can create or modify files.

Feedback OK millert

show more ...

Pledge once with or without "proc exec", not twice

Spotted while comparing ktraces between 'tar -z' and 'gzcat | tar -f-'.

Only the former runs, e.g. gzip(1), but the latter also pledges theses pro

Pledge once with or without "proc exec", not twice

Spotted while comparing ktraces between 'tar -z' and 'gzcat | tar -f-'.

Only the former runs, e.g. gzip(1), but the latter also pledges theses promises
just to pledge again immediately afterwards without them.

Make the calls mutually exclusive so 'tar -f-' et al. skip the first pledge
and thus never have "proc exec" to begin wth.

"looks good to me" mbuhl
OK millert

show more ...

It isn't portable to use stderr (or std{in,out}) in file-scope
initializers as they are not required to be compile-time constants.
So, intialize these global variables at the top of main().

ok miod@

It isn't portable to use stderr (or std{in,out}) in file-scope
initializers as they are not required to be compile-time constants.
So, intialize these global variables at the top of main().

ok miod@ deraadt@ yasuoka@ millert@

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Use the new libc uid_from_user() and gid_from_group() instead of
the pax-specific functions in cache.c. OK guenther@

Convert snprintf+write into dprintf. It is simply easier to read, and
provides retry on short-write file descriptors.
ok florian, previous versions seen by millert

switch pax to using pledge tape instead of ioctl.

ok kettenis

Slow down the churn and continue using old pledge name "ioctl" instead
of "tape" for a week or so.

Split pledge "ioctl" into "tape" and "bpf", and allow SIOCGIFGROUP only
upon "inet". Adjust the 4 programs that care about this.

Don't need <sys/time.h> or "options.h" here

Instead of doing strcmp(argv0), track the invocation mode (pax/tar/cpio)
in a separate variable

ok deraadt@

allow creation of devices or fifo without -p (as it is already allowed with -p)

diff from trondd at kagu-tsuchi com, enhanced by me for reordering promises

ok deraadt@

Replace "tame" by "pledge" in a comment.

pledge "dpath" to allow creation of nodes via mkfifo(2) and mknod(2)
NOTE: dpath requires a fairly new kernel
ok semarie

preservation modes can adjust setugid bits, so no pledge is possible.
Otherwise, lay the groundwork for whether a gzip program may be run or not.
After such a gzip program is started, pledge the prog

preservation modes can adjust setugid bits, so no pledge is possible.
Otherwise, lay the groundwork for whether a gzip program may be run or not.
After such a gzip program is started, pledge the program will not exec
again. Took a few iterations to get this going... it is looking good.
with guenther.

show more ...

Unrevert post-unlock:
* Prevent an archive from esacaping the current directory by itself:
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length

Unrevert post-unlock:
* Prevent an archive from esacaping the current directory by itself:
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length normal file (with additional
tracking of the mode and hardlinks to the symlink) until everything
else is extracted, then go back and replace it with the requested
link (if it's still that zero-length placeholder).

* For tar without -P, if a path in the archive has any ".." components
then strip everything up to and including the last of them (if
it ends in ".." then it becomes ".")
This mostly follows GNU tar's behavior, except for 'tar tf' and
'tar xvf' we report the modified path that would be/was actually
created instead of the raw path from the archive

Above two fixes prompted by a report from Daniel Cegielka
(daniel.cegielka (at) gmail.com)

* For directories whose times or mode will be fixed up in the
clean-up pass, record their dev+ino and then use
open(O_DIRECTORY)+fstat() to verify that we're updating the correct
directory before using futimens() and fchmod().

* Correct buffer overflow in handling of pax extension headers,
caught by the memcpy() overlap check.


previously ok millert@ deraadt@

show more ...

Recent changes haven't been completely stable, so revert for the 5.7 release

requested by deraadt@

Prevent an archive from esacaping the current directory by itself:
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length normal file (with additiona

Prevent an archive from esacaping the current directory by itself:
when extracting a symlink whose value is absolute or contains ".."
components, just create a zero-length normal file (with additional
tracking of the mode and hardlinks to the symlink) until everything
else is extracted, then go back and replace it with the requested
link (if its still that zero-length placeholder).

This and previous symlink and ".." path fixes prompted by a report
from Daniel Cegielka (daniel.cegielka (at) gmail.com)

ok millert@

show more ...

Don't leak the fds for "." and the tty to the compression process

Make signal setup clearer via helper function, eliminating a gap in
ignoring signals when they were already ignored

ok millert@

Make the signal handler safe: block signals when updating data-structures
that are walked by routines called from the signal handler and use
dprintf() instead fprintf() in ar_close().

ok millert@

Update pax -v format to match "ls -l": display the year for dates
in the future and include a space between the major and minor numbers
for devices. Eliminate bogus handling of LC_TIME environment v

Update pax -v format to match "ls -l": display the year for dates
in the future and include a space between the major and minor numbers
for devices. Eliminate bogus handling of LC_TIME environment variable.
Make strftime() format selection understandable by gcc -Wformat=2.

ok millert@

show more ...

remove some unnecessary sys/param.h inclusions

add newline to signal error messages; Thomas Pfaff