From 93c0bc1e4309cab60fedb98bab294255da0d0313 Mon Sep 17 00:00:00 2001 From: matthew-pilot Date: Sat, 30 May 2026 05:07:18 +0000 Subject: [PATCH] fix: add --no-same-owner --no-same-permissions to tar extraction (PILOT-272) GNU tar preserves file ownership and permissions from the archive by default, including setuid/setgid bits. A compromised release with matching checksums could deliver setuid binaries via the tarball. Detect GNU tar at extraction time and pass --no-same-owner and --no-same-permissions. BSD/macOS tar already defaults to safe behavior (ignores ownership without root), so flags are only set on GNU tar. Fixes: PILOT-272 --- install.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index f3b558fa..4791f4ee 100755 --- a/install.sh +++ b/install.sh @@ -266,11 +266,18 @@ if [ -n "$TAG" ]; then [ -n "$ACTUAL" ] && echo " Verified SHA-256" fi fi + # GNU tar preserves ownership and permissions from the archive by + # default (including setuid/setgid bits). BSD tar ignores ownership + # without root, so these flags are only needed on GNU tar. + TAR_SAFE="" + if tar --version 2>/dev/null | grep -q 'GNU tar'; then + TAR_SAFE="--no-same-owner --no-same-permissions" + fi # macOS bsdtar can fail silently on GitHub gzip archives. # Try tar -xzf first; fall back to gunzip|tar on failure. - if ! tar -xzf "$TMPDIR/$ARCHIVE" -C "$TMPDIR" 2>/dev/null || [ ! -f "$TMPDIR/pilotctl" ]; then + if ! tar -xzf "$TMPDIR/$ARCHIVE" -C "$TMPDIR" $TAR_SAFE 2>/dev/null || [ ! -f "$TMPDIR/pilotctl" ]; then echo " tar -xzf failed or produced no output; trying gunzip fallback..." - gunzip -c "$TMPDIR/$ARCHIVE" | tar -x -C "$TMPDIR" + gunzip -c "$TMPDIR/$ARCHIVE" | tar -x $TAR_SAFE -C "$TMPDIR" fi if [ ! -f "$TMPDIR/pilotctl" ]; then echo "Error: failed to extract binaries from ${ARCHIVE}"