[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fcb90ceb0701111050w4877be5cuecdddd858e50a239@mail.gmail.com>
Date: Thu, 11 Jan 2007 12:50:49 -0600
From: "Dave Moore" <dave.j.moore@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, steven@...terwebnet.com,
dennis.jackson@...rect.co.uk
Subject: Re: slocate leaks filenames of protected directories
chmod 711 dir
sets permissions: drwx--x--x
But for directories the x doesn't mean executable, it means
searchable. from man ls:
The file mode printed under the -l option consists of the entry type,
owner permissions, and group permissions. The entry type character
describes the type of file, as follows:
b Block special file.
c Character special file.
d Directory.
l Symbolic link.
s Socket link.
p FIFO.
- Regular file.
The next three fields are three characters each: owner permissions, group
permissions, and other permissions. Each field has three character posi-
tions:
1. If r, the file is readable; if -, it is not readable.
2. If w, the file is writable; if -, it is not writable.
3. The first of the following that applies:
S If in the owner permissions, the file is not exe-
cutable and set-user-ID mode is set. If in the
group permissions, the file is not executable and
set-group-ID mode is set.
s If in the owner permissions, the file is exe-
cutable and set-user-ID mode is set. If in the
group permissions, the file is executable and set-
group-ID mode is set.
x The file is executable or the directory is search-
able.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Or am I missing something?
On 1/11/07, Ben Wheeler <b.wheeler@...c.ac.uk> wrote:
> > ----- Original Message -----
> > From: steven@...terwebnet.com <steven@...terwebnet.com>
> > Sent: 10/01/2007 01:29:35
> > Subject: slocate leaks filenames of protected directories
> >
> > > * Version tested: 3.1
> > >
> > > * Problem description: slocate doesn't check readability bit of containing
> > > directory. It can divulge the existence of files in a directory that is
> > > unreadable (e.g. by the 'ls' command) by a user.
>
> On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> > Curious. This problem doesn't happen for me with version 2.7.
>
> But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
> From the original demonstration I thought this was a non-event
> because it uses:
> > > $ updatedb -o db -U dir
> > > $ slocate -d db file
> which creates and uses a custom db file 'db' which must be readable to
> both users. No security can be expected here, one could simply read the
> db file directly instead of using slocate (it's not encrypted or anything).
>
> But I then confirmed that the same thing happens when using the
> system database (and a dir other than /tmp, which tends to be skipped).
>
> root# cd /root
> root# mkdir dir
> root# chmod 711 dir
> root# touch dir/secret-file
> root# updatedb -U /root/dir
> root# su - other
> other$ slocate secret-f
> /root/dir/secret-file
>
> It doesn't work if dir is 700 rather than 711.
>
> Ben
>
>
--
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein
This message copyright (c) 2004-2007 David J Moore
Powered by blists - more mailing lists