<<< Date Index >>>     <<< Thread Index >>>

Re: slocate leaks filenames of protected directories



Curious. This problem doesn't happen for me with version 2.7.

As root

# cd /root
# mkdir dir
# chmod 711 dir
# cd dir
# touch hiddenfile
# cd ..

# /usr/bin/slocate -c -u

As an ordinary user

$ ls -l /root/dir
/usr/bin/ls: /root/dir: Permission denied
$ slocate hiddenfile
$ slocate -V
Secure Locate 2.7 - Released January 24, 2003
$

Just to check the file really is there 

$ ls -l /root/dir/hiddenfile
-rw-r--r--  1 root root 0 Jan 10 18:14 /root/dir/hiddenfile
$

But as root

# slocate hiddenfile
/root/dir/hiddenfile
#


----- Original Message -----
From: steven@xxxxxxxxxxxxxxxx <steven@xxxxxxxxxxxxxxxx>
Sent: 10/01/2007 01:29:35
Subject: slocate leaks filenames of protected directories

> * Version tested: 3.1
> 
> * Problem description: slocate doesn't check readability bit of containing
>   directory. It can divulge the existence of files in a directory that is
>   unreadable (e.g. by the 'ls' command) by a user.
> 
> * Demonstration:
> 
> As user1:
> 
> $ cd /tmp
> $ mkdir dir
> $ chmod 711 dir
> $ cd dir
> $ touch "a-secret-file"
> $ cd ..
> 
> $ updatedb -o db -U dir
> 
> As user2:
> 
> $ cd /tmp
> $ ls dir
> ls: .: Permission denied
> 
> But:
> 
> $ slocate -d db file
> dir/a-secret-file