Hello, There is an old known (i hope) security issue if unpriviledged users are allowed to open() a directory to get a file descriptor and then read() the contents of this file. A directory is itself a file storing the names and inodes numbers (etc.) of the files it contains, including deleted ones. So if a user reads this file it can get the names of the deleted files. The examples below show that on an old FreeBSD4.4, if you store files into a private directory readable only by you, then you remove every sensitive files and give read-only access to everyone on the directory (no execute perm needed), the filenames will still show up to any user. Same thing if you change the directory name, of course. (mv bad; rm then mkdir rules ;) This becomes an issue when sensitive information is disclosed into the filename. Sorry if it was already done on this mailing-list, but if not, I think it could be interesting to some people to know what systems are still vulnerable and what are not. - Linux is immuned: the read() call return the error EISDIR. OpenBSD seems also to be OK. - FreeBSD 4.4 is vulnerable (didn't looked the CVS, it could be patched at this time, anybody knows ?) - I saw this for the first time 3 years ago on a SunOS system while doing "cat /root" as a user. I don't know if current Sun systems are patched or not. Don't misunderstand me, this is not an advisory on a new vuln i discovered, it is a request to the security community for publishing more info on this topic, cause i am too lazy to check it myself (although a quick search on google and securityfocus gave me nothing). Regards, FozZy Hackademy / Hackerz Voice rooted# uname -v FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001 murrayat_private:/usr/src/sys/compile/GE NERIC rooted# mkdir /test rooted# touch /test/public-doc rooted# chmod 700 /test rooted# ls -ld /test drwx------ 2 root wheel 512 Jun 22 13:01 /test rooted# touch /test/confidential-doc rooted# <...some work with the doc here...> rooted# rm /test/confidential-doc rooted# chmod 744 /test rooted# su guest $ hexdump -C /test 00000000 2d 4a 00 00 0c 00 04 01 2e 00 00 00 02 00 00 00 |-J..............| 00000010 0c 00 04 02 2e 2e 00 00 d7 4a 00 00 e8 01 08 0a |.........J......| 00000020 70 75 62 6c 69 63 2d 64 6f 63 00 c8 d8 4a 00 00 |public-doc...J..| 00000030 d4 01 08 10 63 6f 6e 66 69 64 65 6e 74 69 61 6c |....confidential| 00000040 2d 64 6f 63 00 ec 70 c8 00 00 00 00 00 00 00 00 |-doc..p.........| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 $ /bin/ls /test public-doc $ exit rooted# ls -l /test -rw-r--r-- 1 root wheel 0 Jun 22 13:01 public-doc rooted# mv /test /public rooted# chmod 755 /public rooted# su guest $ ls -l /public -rw-r--r-- 1 root wheel 0 Jun 22 13:01 public-doc $ hexdump -C /public 00000000 2d 4a 00 00 0c 00 04 01 2e 00 00 00 02 00 00 00 |-J..............| 00000010 0c 00 04 02 2e 2e 00 00 d7 4a 00 00 e8 01 08 0a |.........J......| 00000020 70 75 62 6c 69 63 2d 64 6f 63 00 c8 d8 4a 00 00 |public-doc...J..| 00000030 d4 01 08 10 63 6f 6e 66 69 64 65 6e 74 69 61 6c |....confidential| 00000040 2d 64 6f 63 00 ec 70 c8 00 00 00 00 00 00 00 00 |-doc..p.........| 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200 $ exit
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 12:47:12 PDT