lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jan 2007 18:28:17 +0000 
From: Dennis Jackson <dennis.jackson@...rect.co.uk>
To: <steven@...terwebnet.com>, <dennis.jackson@...rect.co.uk>
Cc: bugtraq <bugtraq@...urityfocus.com>, 
Subject: Re: slocate leaks filenames of protected directories

Curious. This problem doesn't happen for me with version 2.7.

As root

# cd /root
# mkdir dir
# chmod 711 dir
# cd dir
# touch hiddenfile
# cd ..

# /usr/bin/slocate -c -u

As an ordinary user

$ ls -l /root/dir
/usr/bin/ls: /root/dir: Permission denied
$ slocate hiddenfile
$ slocate -V
Secure Locate 2.7 - Released January 24, 2003
$

Just to check the file really is there 

$ ls -l /root/dir/hiddenfile
-rw-r--r--  1 root root 0 Jan 10 18:14 /root/dir/hiddenfile
$

But as root

# slocate hiddenfile
/root/dir/hiddenfile
#


----- Original Message -----
From: steven@...terwebnet.com <steven@...terwebnet.com>
Sent: 10/01/2007 01:29:35
Subject: slocate leaks filenames of protected directories

> * Version tested: 3.1
> 
> * Problem description: slocate doesn't check readability bit of containing
>   directory. It can divulge the existence of files in a directory that is
>   unreadable (e.g. by the 'ls' command) by a user.
> 
> * Demonstration:
> 
> As user1:
> 
> $ cd /tmp
> $ mkdir dir
> $ chmod 711 dir
> $ cd dir
> $ touch "a-secret-file"
> $ cd ..
> 
> $ updatedb -o db -U dir
> 
> As user2:
> 
> $ cd /tmp
> $ ls dir
> ls: .: Permission denied
> 
> But:
> 
> $ slocate -d db file
> dir/a-secret-file


Powered by blists - more mailing lists