[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: slocate leaks filenames of protected directories



chmod 711 dir
sets permissions: drwx--x--x

But for directories the x doesn't mean executable, it means
searchable. from man ls:

The file mode printed under the -l option consists of the entry type,
    owner permissions, and group permissions.  The entry type character
    describes the type of file, as follows:

          b     Block special file.
          c     Character special file.
          d     Directory.
          l     Symbolic link.
          s     Socket link.
          p     FIFO.
          -     Regular file.

    The next three fields are three characters each: owner permissions, group
    permissions, and other permissions.  Each field has three character posi-
    tions:

          1.   If r, the file is readable; if -, it is not readable.

          2.   If w, the file is writable; if -, it is not writable.

          3.   The first of the following that applies:

                     S     If in the owner permissions, the file is not exe-
                           cutable and set-user-ID mode is set.  If in the
                           group permissions, the file is not executable and
                           set-group-ID mode is set.

                     s     If in the owner permissions, the file is exe-
                           cutable and set-user-ID mode is set.  If in the
                           group permissions, the file is executable and set-
                           group-ID mode is set.

                     x     The file is executable or the directory is search-
                           able.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Or am I missing something?

On 1/11/07, Ben Wheeler <b.wheeler@xxxxxxxxxx> wrote:
> ----- Original Message -----
> From: steven@xxxxxxxxxxxxxxxx <steven@xxxxxxxxxxxxxxxx>
> Sent: 10/01/2007 01:29:35
> Subject: slocate leaks filenames of protected directories
>
> > * Version tested: 3.1
> >
> > * Problem description: slocate doesn't check readability bit of containing
> >   directory. It can divulge the existence of files in a directory that is
> >   unreadable (e.g. by the 'ls' command) by a user.

On Wed, Jan 10, 2007 at 06:28:17PM +0000, Dennis Jackson wrote:
> Curious. This problem doesn't happen for me with version 2.7.

But I've confirmed it does happen on 3.1 (Debian package 3.1-1).
From the original demonstration I thought this was a non-event
because it uses:
> > $ updatedb -o db -U dir
> > $ slocate -d db file
which creates and uses a custom db file 'db' which must be readable to
both users. No security can be expected here, one could simply read the
db file directly instead of using slocate (it's not encrypted or anything).

But I then confirmed that the same thing happens when using the
system database (and a dir other than /tmp, which tends to be skipped).

 root# cd /root
 root# mkdir dir
 root# chmod 711 dir
 root# touch dir/secret-file
 root# updatedb -U /root/dir
 root# su - other
other$ slocate secret-f
/root/dir/secret-file

It doesn't work if dir is 700 rather than 711.

Ben




--
==========
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects. -Heinlein

This message copyright (c) 2004-2007 David J Moore