Bug 161432

Summary:	sys-apps/slocate fails to check the +x bit
Product:	Gentoo Security	Reporter:	Harlan Lieberman-Berg (RETIRED) <hlieberman>
Component:	Vulnerabilities	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED INVALID
Severity:	major
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-01-10 23:02:53 UTC

Copied from Bugtraq:
* Version tested: 3.1

* Problem description: slocate doesn't check readability bit of containing directory. It can divulge the existence of files in a directory that is unreadable (e.g. by the 'ls' command) by a user.

* Demonstration:

As user1:

$ cd /tmp
$ mkdir dir
$ chmod 711 dir
$ cd dir
$ touch "a-secret-file"
$ cd ..

$ updatedb -o db -U dir

As user2:

$ cd /tmp
$ ls dir
ls: .: Permission denied

But:

$ slocate -d db file
dir/a-secret-file

Comment 1 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-02-05 14:20:23 UTC

This needs attention.

Comment 2 Robin Johnson archtester

2007-02-10 04:48:07 UTC

Your file /tmp/dir/a-secret-file is NOT inaccessible to user2.
as your user2, 'stat /tmp/dir/a-secret-file'.
Merely obscuring the existance of said file is no security, as there are other ways to see that it exists.

slocate is accurately reporting that it exists, and is accessible to user2.
if you change the perms on /tmp/dir/ to 0700, then slocate ceases to report which is correct.

Comment 3 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-02-10 19:02:56 UTC

This is correct. My apologies.