Hacker News new | past | comments | ask | show | jobs | submit login
Gnu tar happily connects to remote hosts, depending on filename
9 points by fooyc on Sept 17, 2013 | hide | past | web | favorite | 5 comments
Today I Learned:

    $ tar xvzf wtf:foo.tar
    tar (child): Cannot connect to wtf: resolve failed
Apparently the ":" in the filename tells tar to connect to "wtf" using the "rsh" command (aliased to "ssh").

There is no mention of this in the man page: http://linuxcommand.org/lc3_man_pages/tar1.html ; apart from the rather surprising --rsh-command and --rmt-command options.

This actually is documented in the "info" pages:

http://www.gnu.org/software/tar/manual/tar.html#SEC152 :

    ‘-f [hostname:]file’

        Use archive file or device file on hostname.

    If the file name contains a ‘:’, it is interpreted as ‘hostname:file
    name’. If the hostname contains an at sign (‘@’), it is treated as
    ‘user@hostname:file name’. In either case, tar will invoke the command
    rsh (or remsh) to start up an /usr/libexec/rmt on the remote machine
Isn't it dangerous that a random filename could trigger "tar" to connect to remote hosts ?

It doesn't look particularly dangerous, but it could be irritating if your filename has a colon character in it. Still, I never heard of this usage of tar before, and I routinely manage several score linux servers. Pretty surprising.

In what way? I mean to say that I could probably think of something, but do you have some specific danger in mind?

The colon's a legal character in Unix filenames, so it's possible someone could send you a file named somehostname:foo.tar and convince you to run tar on it. Of course, if you quote the filename or escape the \:, as bash autocompletion would do, it wouldn't be an issue, but I could imagine some possible scenario.

I don't see how quoting or a shell-level backslash would change tar's behavior to something safe. Tar would still see a colon in its argv either way. Right?

No, it would see \:

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact