Re: slocate leaks filenames of protected directories

["Dave Moore" <dave.j.moore () gmail com>]

chmod 711 dir
sets permissions: drwx--x--x

But for directories the x doesn't mean executable, it means
searchable. from man ls:

The file mode printed under the -l option consists of the entry type,
    owner permissions, and group permissions.  The entry type character
    describes the type of file, as follows:

          b     Block special file.
          c     Character special file.
          d     Directory.
          l     Symbolic link.
          s     Socket link.
          p     FIFO.
          -     Regular file.

    The next three fields are three characters each: owner permissions, group
    permissions, and other permissions.  Each field has three character posi-
    tions:

          1.   If r, the file is readable; if -, it is not readable.

          2.   If w, the file is writable; if -, it is not writable.

          3.   The first of the following that applies:

                     S     If in the owner permissions, the file is not exe-
                           cutable and set-user-ID mode is set.  If in the
                           group permissions, the file is not executable and
                           set-group-ID mode is set.

                     s     If in the owner permissions, the file is exe-
                           cutable and set-user-ID mode is set.  If in the
                           group permissions, the file is executable and set-
                           group-ID mode is set.

                     x     The file is executable or the directory is search-
                           able.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Or am I missing something?

On 1/11/07, Ben Wheeler <b.wheeler () ulcc ac uk> wrote:
> > ----- Original Message -----
> > From: steven () masterwebnet com <steven () masterwebnet com>
> > Sent: 10/01/2007 01:29:35
> > Subject: slocate leaks filenames of protected directories
> >
> > > * Version tested: 3.1
> > >
> > > * Problem description: slocate doesn't check readability bit of containing
> > >   directory. It can divulge the existence of files in a directory that is
> > >   unreadable (e.g. by the 'ls' command) by a user.
>
> On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> > Curious. This problem doesn't happen for me with version 2.7.
>
> But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
> From the original demonstration I thought this was a non-event
> because it uses:
> > > $ updatedb -o db -U dir
> > > $ slocate -d db file
> which creates and uses a custom db file 'db' which must be readable to
> both users. No security can be expected here, one could simply read the
> db file directly instead of using slocate (it's not encrypted or anything).
>
> But I then confirmed that the same thing happens when using the
> system database (and a dir other than /tmp, which tends to be skipped).
>
>  root# cd /root
>  root# mkdir dir
>  root# chmod 711 dir
>  root# touch dir/secret-file
>  root# updatedb -U /root/dir
>  root# su - other
> other$ slocate secret-f
> /root/dir/secret-file
>
> It doesn't work if dir is 700 rather than 711.
>
> Ben


--
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein

This message copyright (c) 2004-2007 David J Moore