[10760] in bugtraq
unneeded information in sudo
daemon@ATHENA.MIT.EDU (Bencsath Boldizsar)
Wed Jun 9 14:56:18 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906082113100.25130-100000@sas.fph.hu>
Date: Tue, 8 Jun 1999 21:23:55 +0200
Reply-To: Bencsath Boldizsar <boldi@BUDAPEST.HU>
From: Bencsath Boldizsar <boldi@BUDAPEST.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990607200655.A24726@earth.zuhause.de>
Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not
a very big problem, but when i set a directory _not_ accessible to anyone
but root, I want to make sure, nobody knows what files are in it.
Both executable and not executables- if there is no file: No such file or
directory, if it exists: permission denied if not executable, You are not
in sudoers if executable.
> ls -la a
total 4
drwx------ 2 root root 1024 Jun 8 21:25 .
drwx------ 7 root root 1024 Jun 8 21:22 ..
-rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit
> su - alias
No directory, logging in with HOME=/
$ /root/a/doit
su: /root/a/doit: Permission denied
$ /root/a/doit2
su: /root/a/doit2: Permission denied
$ sudo /root/a/doit
alias is not in the sudoers file. This incident will be reported.
$ sudo /root/a/doit2
sudo: /root/a/doit2: No such file or directory
$ dpkg -l sudo
...
||/ Name Version Description
+++-===============-==============-============================================
ii sudo 1.5.6p2-2 Provides limited super user privileges
> chmod a-x /root/a/doit
> su - alias
No directory, logging in with HOME=/
$ sudo /root/a/doit
sudo: /root/a/doit: Permission denied
$ sudo /root/a/doit2
sudo: /root/a/doit2: No such file or directory
boldi
