Path: utzoo!yunexus!geac!syntron!jtsv16!uunet!lll-winken!lll-tis!ames!mailrus!cornell!uw-beaver!tikal!sigma!sea375!dave
From: dave@sea375.UUCP (David A. Wilson)
Newsgroups: comp.unix.microport
Subject: Security hole in tar on Microport
Message-ID: <226@sea375.UUCP>
Date: 29 Oct 88 21:51:14 GMT
Article-I.D.: sea375.226
Organization: At Home in Seattle, WA
Lines: 17

I have a problem with using tar on microport. I created a tar floppy
on a system as an unpriviledged user. When I extracted the floppy on
another system running Microport System V/AT version 2.3 all the files
extracted were owned by the userid of the other system. I was logged
on to microport as an unpriviledged user and expected the files to
be owned by me, what a surprize! I did not use the 'p' option on tar
and the tar program is not setuid or setgid. How can this happen?
It seems like a rather large security hole to me! I have never seen
this behavior on other systems, so what's the problem with microport?
Are other utilities in microport allowed to do this also?

Concerned,
	David A. Wilson
	dave@sea375.UUCP
	uw-beaver!tikal!slab!sea375!dave  
-- 
	David A. Wilson
	uw-beaver!tikal!slab!sea375!dave