Created attachment 74038 [details] extra system information as described in http://www.freedesktop.org/wiki/Software/udisks Reported originally to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698774 but here is a copy. Package: udisks Version: 1.0.1+git20100614-3 Severity: important Tags: security It seems that org.freedesktop.UDisks.FindDeviceByDeviceFile can be used to discover whether a directory exists even if the user should not have any access to it: $ ls -ld /root/.ssh ls: cannot access /root/.ssh: Permission denied $ ls -ld /root/.foo ls: cannot access /root/.foo: Permission denied $ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.ssh/../../dev/sda1" method return sender=:1.28 -> dest=:1.3755 reply_serial=2 object path "/org/freedesktop/UDisks/devices/sda1" $ dbus-send --print-reply --system --dest=org.freedesktop.UDisks /org/freedesktop/UDisks org.freedesktop.UDisks.FindDeviceByDeviceFile string:"/root/.foo/../../dev/sda1" Error org.freedesktop.UDisks.Error.Failed: No such device This bug was inspired by bug #697464. -- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages udisks depends on: ii dbus 1.2.24-4+squeeze1 simple interprocess messaging syst ii libatasmart4 0.17+git20100219-2 ATA S.M.A.R.T. reading and parsing ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst ii libdevmapper1.02.1 2:1.02.48-5 The Linux Kernel Device Mapper use ii libglib2.0-0 2.24.2-1 The GLib library of C routines ii libgudev-1.0-0 164-3 GObject-based wrapper library for ii libparted0debian1 2.3-5 The GNU Parted disk partitioning s ii libpolkit-backend-1-0 0.96-4+squeeze2 PolicyKit backend API ii libpolkit-gobject-1-0 0.96-4+squeeze2 PolicyKit Authorization API ii libsgutils2-2 1.29-1 utilities for devices using the SC ii libudev0 164-3 libudev shared library ii udev 164-3 /dev/ and hotplug management daemo Versions of packages udisks recommends: ii dosfstools 3.0.9-1 utilities for making and checking ii hdparm 9.32-1 tune hard disk parameters for high pn mtools <none> (no description available) pn ntfs-3g <none> (no description available) pn ntfsprogs <none> (no description available) ii policykit-1 0.96-4+squeeze2 framework for managing administrat Versions of packages udisks suggests: ii cryptsetup 2:1.1.3-4squeeze2 configures encrypted block devices pn mdadm <none> (no description available) pn reiserfsprogs <none> (no description available) pn xfsprogs <none> (no description available) -- no debconf information
This is filed against udisks1, and I don't think there's an equivalent operation in udisks2 so it can probably be closed as wontfix.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.