BugTraq
Re: slocate leaks filenames of protected directories Jan 10 2007 06:28PM
Dennis Jackson (dennis jackson ndirect co uk) (1 replies)
Re: slocate leaks filenames of protected directories Jan 11 2007 11:14AM
Ben Wheeler (b wheeler ulcc ac uk) (1 replies)
> ----- Original Message -----
> From: steven (at) masterwebnet (dot) com [email concealed] <steven (at) masterwebnet (dot) com [email concealed]>
> Sent: 10/01/2007 01:29:35
> Subject: slocate leaks filenames of protected directories
>
> > * Version tested: 3.1
> >
> > * Problem description: slocate doesn't check readability bit of containing
> > directory. It can divulge the existence of files in a directory that is
> > unreadable (e.g. by the 'ls' command) by a user.

On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> Curious. This problem doesn't happen for me with version 2.7.

But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
From the original demonstration I thought this was a non-event
because it uses:
> > $ updatedb -o db -U dir
> > $ slocate -d db file
which creates and uses a custom db file 'db' which must be readable to
both users. No security can be expected here, one could simply read the
db file directly instead of using slocate (it's not encrypted or anything).

But I then confirmed that the same thing happens when using the
system database (and a dir other than /tmp, which tends to be skipped).

root# cd /root
root# mkdir dir
root# chmod 711 dir
root# touch dir/secret-file
root# updatedb -U /root/dir
root# su - other
other$ slocate secret-f
/root/dir/secret-file

It doesn't work if dir is 700 rather than 711.

Ben

[ reply ]
Re: slocate leaks filenames of protected directories Jan 11 2007 06:50PM
Dave Moore (dave j moore gmail com) (1 replies)
Re: slocate leaks filenames of protected directories Jan 12 2007 09:18PM
Ben Wheeler (b wheeler ulcc ac uk)


 

Privacy Statement
Copyright 2010, SecurityFocus