[linux-cifs-client] [PATCH] Remove information leak in Linux
andi at firstfloor.org
Sat Jan 19 22:30:29 GMT 2008
On Sat, Jan 19, 2008 at 04:06:57PM -0600, Steve French wrote:
> The access denied message in the dmesg log reveals no more information
> than strace on stat of a local file does (which also returns access
You can't strace a process you don't own. And you might not be able
to access the directory below which the file is.
But there is no such access control on "dmesg". So if there is an
access error you leak the potentially protected information in
the file name
> denied and displays access denied), but I agree that logging on
> -EACCESS on lookup does clutter the log.
> I think it is ok to log a message on unexpected errors (for
> QueryPathInfo those would include anything other than ENOENT and
> EACCESS - Simo, can you think of others?) I don't mind ratelimiting
> logging on this clause (for errors other than ENOENT and EACCESS) but
> it would complicate the code for a case I have not seen in the wild.
> I prefer the following to remove the log cluttering on this case:
That would still be an information leak for other errors.
Logging the path would be only safe if you determine that the
file and all its parent directories were world read (and accessable)able,
but that would be probably difficult.
More information about the samba-technical