[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1H4iBN-0003dh-00@flame.hosts.ndo.com>
Date: Thu, 10 Jan 2007 18:28:17 +0000
From: Dennis Jackson <dennis.jackson@...rect.co.uk>
To: <steven@...terwebnet.com>, <dennis.jackson@...rect.co.uk>
Cc: bugtraq <bugtraq@...urityfocus.com>,
Subject: Re: slocate leaks filenames of protected directories
Curious. This problem doesn't happen for me with version 2.7.
As root
# cd /root
# mkdir dir
# chmod 711 dir
# cd dir
# touch hiddenfile
# cd ..
# /usr/bin/slocate -c -u
As an ordinary user
$ ls -l /root/dir
/usr/bin/ls: /root/dir: Permission denied
$ slocate hiddenfile
$ slocate -V
Secure Locate 2.7 - Released January 24, 2003
$
Just to check the file really is there
$ ls -l /root/dir/hiddenfile
-rw-r--r-- 1 root root 0 Jan 10 18:14 /root/dir/hiddenfile
$
But as root
# slocate hiddenfile
/root/dir/hiddenfile
#
----- Original Message -----
From: steven@...terwebnet.com <steven@...terwebnet.com>
Sent: 10/01/2007 01:29:35
Subject: slocate leaks filenames of protected directories
> * Version tested: 3.1
>
> * Problem description: slocate doesn't check readability bit of containing
> directory. It can divulge the existence of files in a directory that is
> unreadable (e.g. by the 'ls' command) by a user.
>
> * Demonstration:
>
> As user1:
>
> $ cd /tmp
> $ mkdir dir
> $ chmod 711 dir
> $ cd dir
> $ touch "a-secret-file"
> $ cd ..
>
> $ updatedb -o db -U dir
>
> As user2:
>
> $ cd /tmp
> $ ls dir
> ls: .: Permission denied
>
> But:
>
> $ slocate -d db file
> dir/a-secret-file
Powered by blists - more mailing lists