Bugtraq mailing list archives

Re: slocate leaks filenames of protected directories

From: Dennis Jackson <dennis.jackson () ndirect co uk>
Date: Thu, 10 Jan 2007 18:28:17 +0000

Curious. This problem doesn't happen for me with version 2.7.

As root

# cd /root
# mkdir dir
# chmod 711 dir
# cd dir
# touch hiddenfile
# cd ..

# /usr/bin/slocate -c -u

As an ordinary user

$ ls -l /root/dir
/usr/bin/ls: /root/dir: Permission denied
$ slocate hiddenfile
$ slocate -V
Secure Locate 2.7 - Released January 24, 2003
$

Just to check the file really is there 

$ ls -l /root/dir/hiddenfile
-rw-r--r--  1 root root 0 Jan 10 18:14 /root/dir/hiddenfile
$

But as root

# slocate hiddenfile
/root/dir/hiddenfile
#


----- Original Message -----
From: steven () masterwebnet com <steven () masterwebnet com>
Sent: 10/01/2007 01:29:35
Subject: slocate leaks filenames of protected directories

* Version tested: 3.1

* Problem description: slocate doesn't check readability bit of containing
  directory. It can divulge the existence of files in a directory that is
  unreadable (e.g. by the 'ls' command) by a user.

* Demonstration:

As user1:

$ cd /tmp
$ mkdir dir
$ chmod 711 dir
$ cd dir
$ touch "a-secret-file"
$ cd ..

$ updatedb -o db -U dir

As user2:

$ cd /tmp
$ ls dir
ls: .: Permission denied

But:

$ slocate -d db file
dir/a-secret-file

Current thread:

slocate leaks filenames of protected directories steven (Jan 10)
- <Possible follow-ups>
- Re: slocate leaks filenames of protected directories Dennis Jackson (Jan 10)
  - Re: slocate leaks filenames of protected directories Ben Wheeler (Jan 11)
    - Re: slocate leaks filenames of protected directories Dave Moore (Jan 12)
    - Re: slocate leaks filenames of protected directories Ben Wheeler (Jan 12)