From a169f51420795a212c3226f455e783ab8ac5cf47 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Wed, 31 Jan 2024 08:06:47 +0100
Subject: examples/chroottar.py: harden against tars with high uids

---
 examples/chroottar.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/examples/chroottar.py b/examples/chroottar.py
index 8b374d1..89db0b1 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -122,6 +122,14 @@ def main() -> None:
                 for tmem in tarf:
                     if tmem.name.removeprefix("./").startswith("dev/"):
                         continue
+                    # Our namespace has privileged uids allocated high. Hence
+                    # clamp unpacking.
+                    if tmem.uid >= 65536 or tmem.gid >= 65536:
+                        tmem.mode &= ~0o7000
+                    if tmem.uid >= 65536:
+                        tmem.uid = 0
+                    if tmem.gid >= 65536:
+                        tmem.gid = 0
                     tarf.extract(tmem, numeric_owner=True)
             linuxnamespaces.bind_mount(".", "/mnt", recursive=True)
             os.chdir("/mnt")
-- 
cgit v1.2.3