lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Jan 2007 11:14:33 +0000
From: Ben Wheeler <b.wheeler@...c.ac.uk>
To: bugtraq <bugtraq@...urityfocus.com>
Cc: steven@...terwebnet.com, dennis.jackson@...rect.co.uk
Subject: Re: slocate leaks filenames of protected directories

> ----- Original Message -----
> From: steven@...terwebnet.com <steven@...terwebnet.com>
> Sent: 10/01/2007 01:29:35
> Subject: slocate leaks filenames of protected directories
> 
> > * Version tested: 3.1
> > 
> > * Problem description: slocate doesn't check readability bit of containing
> >   directory. It can divulge the existence of files in a directory that is
> >   unreadable (e.g. by the 'ls' command) by a user.

On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> Curious. This problem doesn't happen for me with version 2.7.

But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
>From the original demonstration I thought this was a non-event 
because it uses:
> > $ updatedb -o db -U dir
> > $ slocate -d db file
which creates and uses a custom db file 'db' which must be readable to 
both users. No security can be expected here, one could simply read the 
db file directly instead of using slocate (it's not encrypted or anything). 

But I then confirmed that the same thing happens when using the 
system database (and a dir other than /tmp, which tends to be skipped).

 root# cd /root
 root# mkdir dir
 root# chmod 711 dir
 root# touch dir/secret-file
 root# updatedb -U /root/dir
 root# su - other
other$ slocate secret-f
/root/dir/secret-file

It doesn't work if dir is 700 rather than 711. 

Ben

Powered by blists - more mailing lists