[ale] file and directory permission security

Dow Hurst dhurst at kennesaw.edu
Wed Jul 10 20:51:36 EDT 2002 

At the last ALE-NW meeting, I said based on my memory of something I 
thought I had read that you could have a world readable file in a 
non-world readable directory and if another user knew the exact path and 
filename that they could read the file.  Geoffrey tried it out and found 
I was wrong.  Now, is there a way to have limited permissions on a 
directory for groups or world and yet still have a security hole where 
they could operate on a file within that directory that has permissions 
allowing their access?  I've been busy and haven't had much time to go 
searching for where I thought I saw the exploit but I didn't want to let 
this go any longer.  Any comments?

Here is what Geoffrey tried and sent me in his words:

BEGIN----------------------------------
I want to make sure that I understood what you said last night regarding 
file/dir perms.  Correct me if I'm wrong, but you said that if you did 
not have permissions to search a directory, you could still view files 
in that directory if the file perms permitted such AND you know the full 
path to the file?

Here's my example:

$ ls -la  foo

total 36
drwx------    2 esoteric esoteric     4096 Jun 21 14:51 ./
drwx------  254 esoteric esoteric    28672 Jun 21 14:55 ../
-rw-r--r--    1 esoteric esoteric        7 Jun 21 14:51 bar

$ cat foo/bar
foobar

$ chmod 666 foo

$ ls -ld foo
drw-rw-rw-    2 esoteric esoteric     4096 Jun 21 14:51 foo/

$ cat foo/bar
cat: foo/bar: Permission denied

Now the interesting thing is, it appears that 'cat' acknowledges the 
file existence with the error message.  Because it appears to be telling 
me I don't have permissions to read the file foo/bar.  But if I try to 
list a non-existent file in the same way:


$ cat foo/barr
cat: foo/barr: Permission denied

I get the same error.  Just the same, it does appear that you can not 
read the file contents if you don't have search perms on the directory 
where the file resides.

In reality, I would expect the error message to say:

cat: foo: directory access denied

Or something along those lines.
END------------------------------


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list