Security rules of thumb

This section briefly summarizes rules of thumb for avoiding security pitfalls.

Protect archives at least as much as you protect any of the files being archived.
Extract from an untrusted archive only into an otherwise-empty directory. This directory and its parent should be accessible only to trusted users. For example:
```
          $ chmod go-rwx .
          $ mkdir -m go-rwx dir
          $ cd dir
          $ tar -xvf /archives/got-it-off-the-net.tar.gz
```
As a corollary, do not do an incremental restore from an untrusted archive.
Do not let untrusted users access files extracted from untrusted archives without checking first for problems such as setuid programs.
Do not let untrusted users modify directories that are ancestors of top-level arguments of tar. For example, while you are executing ‘tar -cf /archive/u-home.tar /u/home’, do not let an untrusted user modify /, /archive, or /u.
Pay attention to the diagnostics and exit status of tar.
When archiving live file systems, monitor running instances of tar to detect denial-of-service attacks.
Avoid unusual options such as --absolute-names (-P), --dereference (-h), --overwrite, --recursive-unlink, and --remove-files unless you understand their security implications.