[22061] in bugtraq
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
daemon@ATHENA.MIT.EDU (Olaf Bohlen)
Wed Aug 1 16:50:42 2001
Message-Id: <200108012021.f71KLbf16178@fyona.sun-powered.de>
Date: Wed, 1 Aug 2001 22:21:37 +0200 (MEST)
From: Olaf Bohlen <firefox@is.sun-powered.de>
Reply-To: Olaf Bohlen <firefox@is.sun-powered.de>
To: bugtraq@securityfocus.com, reed@reedmedia.net
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: YklbmIeFmXL6d3dP382OHQ==
Hi,
>This don't say whether the locate database is always owned by nobody or
>just temporary. (I am not at a slackware box.) I am just curious,
because
This is on my Slackware 8 box:
freyr:/var/spool/locate# ls -l locatedb
-rw-r--r-- 1 nobody nogroup 1664857 Aug 1 04:42 locatedb
And this remains as nobody/nogroup.
But: no user (except root) should be able to gain access to nobody. so
this is not a security hole imho.
Also if you run apache-cgi's as user, apache chowns to the owner of the
cgi before executing it:
-- snip --
#!/bin/sh
echo "Content-type: text/plain"
echo
echo -n "Running cgi as: "
id
echo "Running httpd as: "
ps -ef | grep httpd | head -1
-- snip --
reports when executed by apache:
Running cgi as: uid=4109(dackel) gid=80(www) groups=80(www)
Running httpd as:
www 24330 23441 0 00:42 ? 00:00:27
/usr/local/apache/bin/httpd -DSS
so, i don't see a problem here.
Cheers
--
-- Olaf Bohlen --------------------- cell +49-172-4561817 --
-- Maxfeldstrasse 16 --- mail <firefox@is.sun-powered.de> --
-- 90409 Nuernberg ------ http http://www.sun-powered.de/ --
-- Germany ---------------------- irc firefox01 (IRC-Net) --
-- ------------------------------------------------------ --
