Re: Missing file gives bad error message

[Eric Sorenson]

On Thu, 15 Apr 2004 Mark.Burgess@iu.hio.no wrote:
> On 15 Apr, Christian Pearce wrote:
> > Is there any reason we can't put file doesn't exist?  Or is this a security
> > thing?  (ie. don't give out information to a potential attacker)
> You hit the nail on the head. 

This can't be true, can it? I looked into this pretty deeply because I
get many, many megabytes of these bogus errors due to the way I use
'singlecopy' to pick the best-match file out of a repository, and it
looked to me like the "couldn't stat" error was nested inside 
RefuseAccess in cfservd.c, so it got the generic "access denied"
lines after the lstat-specific errors as a side-effect. 

The client error (the presumable vector for an attack) does say more
concisely what the actual problem was, so if the intent was to obscure
information, it's not successful

Apr 20 09:28:38 victor cfengine:victor[2448]: Can't stat 
    /export/home/local/cfengine2/dist/etc/ldap.conf.victor in copy 

I couldn't find an easy way to change this behavior, but if there's
anyone else who cares to look at it, IMO it would be beneficial to make "can't
stat" on the server just say the actual problem instead of the additional
(misleading) error.

Apr 20 09:28:38 sinistar cfservd[12312]:  Couldn't stat filename 
/export/home/local/cfengine2/dist/etc/ldap.conf.victor from host victor.xxx.com
Apr 20 09:28:38 sinistar cfservd[12312]:  lstat
Apr 20 09:28:38 sinistar cfservd[12312]: Host authorization/authentication 
failed or access denied 
Apr 20 09:28:38 sinistar cfservd[12312]: From 
(host=victor.xxx.com,user=root,ip=10.0.2.120)
Apr 20 09:28:38 sinistar cfservd[12312]:  ID from connecting host: (SYNCH 
1082478518 STAT /export/home/local/cfengine2/dist/etc/ldap.conf.victor)

-- 

    Eric Sorenson - EXPLOSIVE Networking - http://explosive.net