161432 – sys-apps/slocate fails to check the +x bit

Bug 161432 - sys-apps/slocate fails to check the +x bit

Summary: sys-apps/slocate fails to check the +x bit

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-01-10 23:02 UTC by Harlan Lieberman-Berg (RETIRED)
Modified:	2007-02-10 19:02 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-01-10 23:02:53 UTC

Copied from Bugtraq:
* Version tested: 3.1

* Problem description: slocate doesn't check readability bit of containing directory. It can divulge the existence of files in a directory that is unreadable (e.g. by the 'ls' command) by a user.

* Demonstration:

As user1:

$ cd /tmp
$ mkdir dir
$ chmod 711 dir
$ cd dir
$ touch "a-secret-file"
$ cd ..

$ updatedb -o db -U dir

As user2:

$ cd /tmp
$ ls dir
ls: .: Permission denied

But:

$ slocate -d db file
dir/a-secret-file

Comment 1 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-02-05 14:20:23 UTC

This needs attention.

Comment 2 Robin Johnson archtester

2007-02-10 04:48:07 UTC

Your file /tmp/dir/a-secret-file is NOT inaccessible to user2.
as your user2, 'stat /tmp/dir/a-secret-file'.
Merely obscuring the existance of said file is no security, as there are other ways to see that it exists.

slocate is accurately reporting that it exists, and is accessible to user2.
if you change the perms on /tmp/dir/ to 0700, then slocate ceases to report which is correct.

Comment 3 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-02-10 19:02:56 UTC

This is correct. My apologies.