modifying an existing archive changes original permissions

Bug #1780380 reported by asd on 2018-07-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
File Roller
Expired
High
file-roller (Ubuntu)
High
Unassigned

Bug Description

Hello,

Modifying an existing archive with file-roller results in the original archive permissions being changed/not being preserved.

Creating a new archive and then changing permission to 600

test@gnu:~/Desktop$ ls -ld test.zip
-rw------- 1 test test 943098 Jul 6 01:11 test.zip

test@gnu:~/Desktop$ stat test.zip
  File: test.zip
  Size: 487575 Blocks: 976 IO Block: 4096 regular file
Device: 36h/54d Inode: 6820796 Links: 1
Access: (0600/-rw-------) Uid: ( 1000/ test) Gid: ( 1000/ test)
Access: 2018-07-06 01:15:59.763424802 -0400
Modify: 2018-07-06 01:15:59.711424502 -0400
Change: 2018-07-06 01:16:18.159530978 -0400
 Birth: -

Opening the archive with file roller, and adding a new file:

test@gnu:~/Desktop$ ls -ld test.zip
-rw-r--r-- 1 test test 1430045 Jul 6 01:12 test.zip

test@gnu:~/Desktop$ stat test.zip
  File: test.zip
  Size: 486572 Blocks: 968 IO Block: 4096 regular file
Device: 36h/54d Inode: 6820794 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ test) Gid: ( 1000/ test)
Access: 2018-07-06 01:16:29.519596466 -0400
Modify: 2018-07-06 01:16:29.455596097 -0400
Change: 2018-07-06 01:16:29.475596212 -0400

File-roller version: 3.28.0

Distributor ID: Ubuntu
Description: Ubuntu 18.04 LTS
Release: 18.04
Codename: bionic

Created attachment 364129
Video of Fileroller changing perms

Hello,

Ubuntu Security referred me to file a bug here.

When dragging and dropping a file into a .tar.gz file that has permissions 600 set to it, in the background, a new archive is created with different permissions than the original artifact.

Example:

user@gnu:~/Documents/test$ ls -l
total 11380
-rwxr-xr-x 1 dolev dolev 901 Nov 19 00:28 index.html
-rw------- 1 dolev dolev 11629401 Nov 19 00:39 test.tar.gz

when I drag an drop index.html into test.tar.gz, the following happens

1) a new .tar.gz file (vliv8kxjt2J6BRwz.test.tar.gz) is created while the file is being copied

2) when it's done, the original file gets deleted (test.tar.gz).

3) 'vliv8kxjt2J6BRwz.test.tar.gz' then gets renamed to the original filename 'test.tar.gz', while not preserving the original permissions. I'm guessing it takes umask.

while file was being created:
-rw------- 1 user user 901 Nov 19 00:28 index.html
-rw------- 1 user user 11629401 Nov 19 00:44 test.tar.gz
-rw-rw-r-- 1 user user 10137600 Nov 19 00:47 vliv8kxjt2J6BRwz.test.tar.gz
total 11380

after it's done, notice the permissions changed from 600 to 664:
-rw------- 1 user user 901 Nov 19 00:28 index.html
-rw-rw-r-- 1 user user 11629406 Nov 19 00:47 test.tar.gz
total 11380

Since the user is simply dragging and dropping a file, it's not obvious that the file now has different permissions. also, in shared environments, read permissions to others allows decompressing the archive.

attached is a video for your convenience.

Emily Ratliff (emilyr) wrote :

This appears to be the same bug as https://bugzilla.gnome.org/show_bug.cgi?id=790672

Emily Ratliff (emilyr) on 2018-07-06
information type: Private Security → Public Security
Changed in file-roller (Ubuntu):
importance: Undecided → High
status: New → Triaged

bugzilla.gnome.org is being replaced by gitlab.gnome.org. We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time.

If you still use file-roller and if you still see this bug / want this feature in a currently supported version of GNOME (currently that would be 3.38), then please feel free to report it at https://gitlab.gnome.org/GNOME/file-roller/-/issues/

Thank you for creating this report and we are sorry it could not be implemented (volunteer workforce and time is limited).

Changed in file-roller:
importance: Unknown → High
status: Unknown → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.