Challenge, Medium,  on  Linux

Extract a tar Archive with Permissions, Ownership, and Extended Attributes Preserved

Many server-side tools - and virtually all OCI container images - ship as compressed tarballs that bundle an entire filesystem tree. Extracting such an archive correctly means keeping the original file permissions, ownership, and extended attributes intact. Miss any of them and:

  • Sensitive files like /etc/shadow may become world-readable.
  • Root-owned files may silently end up owned by the extracting user.
  • Binaries that rely on filesystem capabilities (like ping) may lose them and stop working for non-root users.

A simplified container rootfs has been packaged as a gzip-compressed tar archive at ~/rootfs.tar.gz. Its contents:

  • rootfs/bin/ping - mode 0755, owned by root:root, carries the cap_net_raw=ep capability.
  • rootfs/etc/passwd - mode 0644, owned by root:root.
  • rootfs/etc/shadow - mode 0640, owned by root:shadow.
  • rootfs/home/john/notes.txt, rootfs/home/john/.bashrc - mode 0644, owned by UID:GID 1000:1000.
  • rootfs/home/john/hello.sh - mode 0755, owned by UID:GID 1000:1000.

Your goal is to extract the archive into /tmp/rootfs/ so that it ends up as a an exact copy of the original tree with permissions, ownership, and extended attributes all preserved.

Hint 1 - Preserving the file permissions

By default, tar applies the extracting user's umask to file modes. There is a dedicated flag that disables this behavior - search for --preserve-permissions in man tar.

The extracted files must keep their original mode bits. For example, /tmp/rootfs/etc/shadow must stay at 0640, and /tmp/rootfs/home/john/hello.sh must stay at 0755.

Hint 2 - Preserving the file ownership

The extracted files must keep their original owner and group - root:root, root:shadow, and 1000:1000 - not become owned by whoever ran tar. Luckily, tar has a flag for it, too - search for --numeric-owner in man tar.

Beware that only the superuser can create files owned by other users.

Hint 3 - Preserving the extended attributes

GNU tar does not restore extended attributes by default, even when they are stored in the archive. Search man tar for --xattrs and related flags - one turns extended attribute extraction on, and another controls which namespaces are allowed back onto disk.

After extraction, getcap /tmp/rootfs/bin/ping must still report cap_net_raw=ep.

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge linux-tar-preserve-attributes

This will create a local copy of the challenge content in a directory named linux-tar-preserve-attributes. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge linux-tar-preserve-attributes

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge