[620] in linux-security and linux-alert archive
[linux-security] updatedb + locate
daemon@ATHENA.MIT.EDU (James Golovich)
Sat Mar 2 17:03:27 1996
Date: Sat, 2 Mar 1996 14:19:29 -0500 (EST)
From: James Golovich <james@mfaa.com>
To: linux-security@tarsier.cv.nrao.edu
I don't know if this has been brought to anyone's attention.
updatedb is installed in the slackware (this is the only distribution I
know about) crontab, and it is running as root... Every file which root
can see is added to the filename database.. I tested this:
as root
mkdir /root/cantsee
touch /root/cantsee/locatefile
chmod 000 /root/cantsee
updatedb
than as a regular user:
locate locatefile
and sure enough it locate's a file that it isn't supposed to see...
I am sure that if enough regular users used locate, you could run
updatedb as a regular user and then only the files that they could see
would be in the databse...
James Golovich
james@annis.com
[Mod: This problem was discussed briefly, and a sample patch was
provided, in postings to linux-security on Nov. 9 and 10, 1995. For
those that are still interested, or that missed them, these archived
postings can be retrieved in the following two (among other) ways:
1) Send an e-mail message to the address "majordomo@linux.nrao.edu" with
a message body (not subject!) of:
get linux-security-digest v01.n047
2) FTP/WWW URL:
ftp://linux.nrao.edu/pub/security/list-archive/linux-security-digest/v01.n047
--Jeff.]
