Bug 72193 - slocate reveals more information than necessary
Summary: slocate reveals more information than necessary
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: slocate   
(Show other bugs)
Version: 9
Hardware: i686 Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2002-08-21 21:09 UTC by Ryan Yagatich
Modified: 2014-03-17 02:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-03-29 09:52:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Ryan Yagatich 2002-08-21 21:09:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

Description of problem:
Under certain conditions, /usr/bin/locate may reveal information of file 
locations that would otherwise be protected based on filesystem permissions. 
example: /home/userA/private can be revealed to userB

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. userA logs in, sets his home directory to 711 for things like web services 
(public_html/ is an example...)
2. userA creates file /home/userA/private
3. userB logs in, and calls '/usr/bin/locate \* | grep "^/home/userA"
4. userB sees /home/userA/private, and performs 'cat /home/userA/private'

Actual Results:  Results:
  /home/userA/private was successfully viewed by userB

Expected Results:  userB should not have been able to see that file as existing 
from locate because the permissions on /home/userA were set to 0711 instead of 

Additional info:

This scenario requires certain conditions to be met:
1) user must have their home directory set to 0711 (or at least the 'world' 
execute bit) for things like web services and so-on.
2a) user must not have a modified bash_profile/bashrc file (nor on the system) 
where the default umask is set to 022.
2b) user must not have modified the permissions of the file to remove world-

although these conditions are somewhat strict, from my experience most sites 
that are webservers and have /home/user/ set to 0711 if public_html exists and 
is available, and the umask is by default set to 022.

please also note that this 'bug' was marked as under 'security' for the 
potential of 'information gathering'.

Comment 1 Kjartan Maraas 2003-04-02 23:22:26 UTC
Is this still true?

Comment 2 Bill Nottingham 2003-04-02 23:43:02 UTC

Comment 3 Karsten Hopp 2004-03-29 09:52:12 UTC
tested with slocate-2.7, fixed. 

Note You need to log in before you can comment on or make changes to this bug.