BugTraq
Re: slocate leaks filenames of protected directories Jan 10 2007 06:28PM
Dennis Jackson (dennis jackson ndirect co uk) (1 replies)
Re: slocate leaks filenames of protected directories Jan 11 2007 11:14AM
Ben Wheeler (b wheeler ulcc ac uk) (1 replies)
Re: slocate leaks filenames of protected directories Jan 11 2007 06:50PM
Dave Moore (dave j moore gmail com) (1 replies)
chmod 711 dir
sets permissions: drwx--x--x

But for directories the x doesn't mean executable, it means
searchable. from man ls:

The file mode printed under the -l option consists of the entry type,
owner permissions, and group permissions. The entry type character
describes the type of file, as follows:

b Block special file.
c Character special file.
d Directory.
l Symbolic link.
s Socket link.
p FIFO.
- Regular file.

The next three fields are three characters each: owner permissions, group
permissions, and other permissions. Each field has three character posi-
tions:

1. If r, the file is readable; if -, it is not readable.

2. If w, the file is writable; if -, it is not writable.

3. The first of the following that applies:

S If in the owner permissions, the file is not exe-
cutable and set-user-ID mode is set. If in the
group permissions, the file is not executable and
set-group-ID mode is set.

s If in the owner permissions, the file is exe-
cutable and set-user-ID mode is set. If in the
group permissions, the file is executable and set-
group-ID mode is set.

x The file is executable or the directory is search-
able.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Or am I missing something?

On 1/11/07, Ben Wheeler <b.wheeler (at) ulcc.ac (dot) uk [email concealed]> wrote:
> > ----- Original Message -----
> > From: steven (at) masterwebnet (dot) com [email concealed] <steven (at) masterwebnet (dot) com [email concealed]>
> > Sent: 10/01/2007 01:29:35
> > Subject: slocate leaks filenames of protected directories
> >
> > > * Version tested: 3.1
> > >
> > > * Problem description: slocate doesn't check readability bit of containing
> > > directory. It can divulge the existence of files in a directory that is
> > > unreadable (e.g. by the 'ls' command) by a user.
>
> On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> > Curious. This problem doesn't happen for me with version 2.7.
>
> But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
> From the original demonstration I thought this was a non-event
> because it uses:
> > > $ updatedb -o db -U dir
> > > $ slocate -d db file
> which creates and uses a custom db file 'db' which must be readable to
> both users. No security can be expected here, one could simply read the
> db file directly instead of using slocate (it's not encrypted or anything).
>
> But I then confirmed that the same thing happens when using the
> system database (and a dir other than /tmp, which tends to be skipped).
>
> root# cd /root
> root# mkdir dir
> root# chmod 711 dir
> root# touch dir/secret-file
> root# updatedb -U /root/dir
> root# su - other
> other$ slocate secret-f
> /root/dir/secret-file
>
> It doesn't work if dir is 700 rather than 711.
>
> Ben
>
>

--
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein

This message copyright (c) 2004-2007 David J Moore

[ reply ]
Re: slocate leaks filenames of protected directories Jan 12 2007 09:18PM
Ben Wheeler (b wheeler ulcc ac uk)


 

Privacy Statement
Copyright 2010, SecurityFocus