GNU tar is lazy about file creation modes and file owners when unpacking
       a tar file.  Because GNU tar defaults to creating files owned by the
       userid running tar when the username is not found on your system, it can
       be possible to inadvertantly create setuid root programs.

       Let me give you an example:

               On machine A, as user "fred" (uid doesn't matter), use gtar
               to create a tar file of the directory ~/files.  Inside the
               subdirectory, place a copy of /bin/bash and, as fred, make
               the program setuid fred (the mode 4755 works well).

               Set the tar file to someone on machine B where the user "fred"
               does not exist and have them unpack the directory somewhere.
               Since "fred" does not exist on machine B and gtar is being
               run as root, you have created a world-executable setuid-root
               shell.

       I stumbled on this when using a `tar | rsh tar' pipeline to transfer a
       bunch of home directories from one machine to another.  I thought all
       users on the source machine existed on the destination, but this was not
       the case.

       Furthermore, for all files owned by the users not on both machines, they
       were created with ownership to root . . including some setuid programs
       which were now setuid root!

       It's very, very easy to get caught out by this.  I'd like to see GNU tar
       strip the setuid bit off files it has to revert the ownership for due to
       an unknown original owner.