Bugtraq mailing list archives
Re: slocate leaks filenames of protected directories
From: Ben Wheeler <b.wheeler () ulcc ac uk>
Date: Thu, 11 Jan 2007 11:14:33 +0000
----- Original Message ----- From: steven () masterwebnet com <steven () masterwebnet com> Sent: 10/01/2007 01:29:35 Subject: slocate leaks filenames of protected directories* Version tested: 3.1 * Problem description: slocate doesn't check readability bit of containing directory. It can divulge the existence of files in a directory that is unreadable (e.g. by the 'ls' command) by a user.
On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
Curious. This problem doesn't happen for me with version 2.7.
But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
From the original demonstration I thought this was a non-event
because it uses:
$ updatedb -o db -U dir $ slocate -d db file
which creates and uses a custom db file 'db' which must be readable to both users. No security can be expected here, one could simply read the db file directly instead of using slocate (it's not encrypted or anything). But I then confirmed that the same thing happens when using the system database (and a dir other than /tmp, which tends to be skipped). root# cd /root root# mkdir dir root# chmod 711 dir root# touch dir/secret-file root# updatedb -U /root/dir root# su - other other$ slocate secret-f /root/dir/secret-file It doesn't work if dir is 700 rather than 711. Ben
Current thread:
- slocate leaks filenames of protected directories steven (Jan 10)
- <Possible follow-ups>
- Re: slocate leaks filenames of protected directories Dennis Jackson (Jan 10)
- Re: slocate leaks filenames of protected directories Ben Wheeler (Jan 11)
- Re: slocate leaks filenames of protected directories Dave Moore (Jan 12)
- Re: slocate leaks filenames of protected directories Ben Wheeler (Jan 12)
- Re: slocate leaks filenames of protected directories Ben Wheeler (Jan 11)