[695] in linux-security and linux-alert archive
Re: [linux-security] locate & updatedb
daemon@ATHENA.MIT.EDU (John Gilmore)
Fri May 3 08:46:02 1996
To: linux-security@tarsier.cv.nrao.edu, gnu@toad.com
In-reply-to: <Pine.SOL.3.91.960427052525.13004A-100000@newworld.bridge.net>
Date: Thu, 02 May 1996 23:13:41 -0700
From: John Gilmore <gnu@toad.com>
> i've noticed this problem for quite a while. updatedb is standard in the
> crontab of root, so it can enter any directories root can enter. An easy
> fix is to simply run it as another user, or disable locate all together.
> [or use --prunepaths=...]
I think a more durable solution would be to add a call to access() in
the locate command. Before returning any file name on stdout, locate
would check that it is accessible to the user who's running locate.
This not only allows a full root `find' in updatedb, but also has the
nice side effect of eliminating files from locate's output if they have
been deleted or made inaccessible since updatedb was run by cron.
John Gilmore
