lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fcb90ceb0701111050w4877be5cuecdddd858e50a239@mail.gmail.com>
Date: Thu, 11 Jan 2007 12:50:49 -0600
From: "Dave Moore" <dave.j.moore@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, steven@...terwebnet.com,
	dennis.jackson@...rect.co.uk
Subject: Re: slocate leaks filenames of protected directories

chmod 711 dir
sets permissions: drwx--x--x

But for directories the x doesn't mean executable, it means
searchable. from man ls:

 The file mode printed under the -l option consists of the entry type,
     owner permissions, and group permissions.  The entry type character
     describes the type of file, as follows:

           b     Block special file.
           c     Character special file.
           d     Directory.
           l     Symbolic link.
           s     Socket link.
           p     FIFO.
           -     Regular file.

     The next three fields are three characters each: owner permissions, group
     permissions, and other permissions.  Each field has three character posi-
     tions:

           1.   If r, the file is readable; if -, it is not readable.

           2.   If w, the file is writable; if -, it is not writable.

           3.   The first of the following that applies:

                      S     If in the owner permissions, the file is not exe-
                            cutable and set-user-ID mode is set.  If in the
                            group permissions, the file is not executable and
                            set-group-ID mode is set.

                      s     If in the owner permissions, the file is exe-
                            cutable and set-user-ID mode is set.  If in the
                            group permissions, the file is executable and set-
                            group-ID mode is set.

                      x     The file is executable or the directory is search-
                            able.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Or am I missing something?

On 1/11/07, Ben Wheeler <b.wheeler@...c.ac.uk> wrote:
> > ----- Original Message -----
> > From: steven@...terwebnet.com <steven@...terwebnet.com>
> > Sent: 10/01/2007 01:29:35
> > Subject: slocate leaks filenames of protected directories
> >
> > > * Version tested: 3.1
> > >
> > > * Problem description: slocate doesn't check readability bit of containing
> > >   directory. It can divulge the existence of files in a directory that is
> > >   unreadable (e.g. by the 'ls' command) by a user.
>
> On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> > Curious. This problem doesn't happen for me with version 2.7.
>
> But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
> From the original demonstration I thought this was a non-event
> because it uses:
> > > $ updatedb -o db -U dir
> > > $ slocate -d db file
> which creates and uses a custom db file 'db' which must be readable to
> both users. No security can be expected here, one could simply read the
> db file directly instead of using slocate (it's not encrypted or anything).
>
> But I then confirmed that the same thing happens when using the
> system database (and a dir other than /tmp, which tends to be skipped).
>
>  root# cd /root
>  root# mkdir dir
>  root# chmod 711 dir
>  root# touch dir/secret-file
>  root# updatedb -U /root/dir
>  root# su - other
> other$ slocate secret-f
> /root/dir/secret-file
>
> It doesn't work if dir is 700 rather than 711.
>
> Ben
>
>


-- 
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein

This message copyright (c) 2004-2007 David J Moore

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ