[697] in linux-security and linux-alert archive
Re: [linux-security] locate & updatedb
daemon@ATHENA.MIT.EDU (Mark Cooke)
Sat May 4 12:30:59 1996
Date: Fri, 3 May 1996 17:00:17 +0100 (BST)
From: Mark Cooke <mpc@star.sr.bham.ac.uk>
To: John Gilmore <gnu@toad.com>
cc: linux-security@tarsier.cv.nrao.edu, gnu@toad.com
In-Reply-To: <199605030613.XAA04003@toad.com>
On Thu, 2 May 1996, John Gilmore wrote:
> > i've noticed this problem for quite a while. updatedb is standard in the
> > crontab of root, so it can enter any directories root can enter. An easy
> > fix is to simply run it as another user, or disable locate all together.
> > [or use --prunepaths=...]
>
> I think a more durable solution would be to add a call to access() in
> the locate command. Before returning any file name on stdout, locate
> would check that it is accessible to the user who's running locate.
Yes - but you'd have to make the locate program suid a dummy user,
and the database 600 to prevent your users from importing the source and
compiling without access()
Mark
------------------------------------------------------------------------------
Mark Cooke The views expressed above are mine
Systems Programmer and do not reflect in any way the
University Of Birmingham current policy of my employers.
------------------------------------------------------------------------------
