[686] in linux-security and linux-alert archive
[linux-security] locate & updatedb
daemon@ATHENA.MIT.EDU (Jordy)
Fri Apr 26 09:50:16 1996
Date: Thu, 25 Apr 1996 03:25:19 -1000 (HST)
From: Jordy <jordy@lava.net>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960423133954.9818I-100000@helix>
i'm curious about locate and updatedb. From the standard installation of
slackware 3.0, it looks like any users can pull up the contents of any
directory they choose. Take this example:
#id
uid=509(jordy) gid=100(users) groups=100(users)
#ls -l /usr |grep admin
drwx------ 2 root users 1024 Apr 25 08:15 admin/
#locate admin
/usr/admin
/usr/admin/bar
/usr/admin/foo
------------------ END INFO ------------
i've noticed this problem for quite a while. updatedb is standard in the
crontab of root, so it can enter any directories root can enter. An easy
fix is to simply run it as another user, or disable locate all together.
,'~``. ,'``~.
( o o ) ,( o o ),
+--.oooO--(_)--Oooo.--------------------.oooO--(_)--Oooo.----+
| http://www.lava.net/~jordy/index.html |
| There are people in this world that look at art but can't |
| see it. There are also people who listen to music but |
| don't hear it. I feel sorry for those who look and |
| listen and envious of those who can see and hear. |
| |
| [Chief Network Admin For Thirdwave.Net & Really Nifty Guy] |
| .oooO jordy@lava.net & Oooo. |
| ( ) Oooo. jordy@thirdwave.net .oooO ( ) |
+-----\ (----( )------------------------( )--- ) /-------+
\_) ) / \ ( (_/
(_/ \_)
