Bug 72193 - slocate reveals more information than necessary
slocate reveals more information than necessary
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: slocate (Show other bugs)
9
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-08-21 17:09 EDT by Ryan Yagatich
Modified: 2014-03-16 22:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-03-29 04:52:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ryan Yagatich 2002-08-21 17:09:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

Description of problem:
Under certain conditions, /usr/bin/locate may reveal information of file 
locations that would otherwise be protected based on filesystem permissions. 
example: /home/userA/private can be revealed to userB


Version-Release number of selected component (if applicable):


How reproducible:
Sometimes

Steps to Reproduce:
1. userA logs in, sets his home directory to 711 for things like web services 
(public_html/ is an example...)
2. userA creates file /home/userA/private
3. userB logs in, and calls '/usr/bin/locate \* | grep "^/home/userA"
4. userB sees /home/userA/private, and performs 'cat /home/userA/private'
	

Actual Results:  Results:
  /home/userA/private was successfully viewed by userB

Expected Results:  userB should not have been able to see that file as existing 
from locate because the permissions on /home/userA were set to 0711 instead of 
0755)

Additional info:

This scenario requires certain conditions to be met:
1) user must have their home directory set to 0711 (or at least the 'world' 
execute bit) for things like web services and so-on.
    --and--
[
2a) user must not have a modified bash_profile/bashrc file (nor on the system) 
where the default umask is set to 022.
    --or--
2b) user must not have modified the permissions of the file to remove world-
readability.
]

although these conditions are somewhat strict, from my experience most sites 
that are webservers and have /home/user/ set to 0711 if public_html exists and 
is available, and the umask is by default set to 022.

please also note that this 'bug' was marked as under 'security' for the 
potential of 'information gathering'.
Comment 1 Kjartan Maraas 2003-04-02 18:22:26 EST
Is this still true?
Comment 2 Bill Nottingham 2003-04-02 18:43:02 EST
Yes.
Comment 3 Karsten Hopp 2004-03-29 04:52:12 EST
tested with slocate-2.7, fixed. 

Note You need to log in before you can comment on or make changes to this bug.