[22106] in bugtraq
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
daemon@ATHENA.MIT.EDU (Jeffrey Denton)
Fri Aug 3 11:08:37 2001
Date: Fri, 3 Aug 2001 06:38:14 -0700 (MST)
From: Jeffrey Denton <dentonj@c2i2.com>
To: "Jeremy C. Reed" <reed@reedmedia.net>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.21.0108011137240.10725-100000@pilchuck.reedmedia.net>
Message-ID: <0108030632270.4876-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 1 Aug 2001, Jeremy C. Reed wrote:
> This don't say whether the locate database is always owned by nobody or
> just temporary. (I am not at a slackware box.) I am just curious, because
> some operating systems first create the database as nobody and then
> immediately change the ownership (via a weekly cron job for example).
>
> If it is just temporary, then I assume an exploit must be timed.
>
> But, if it always owned by nobody, then that is a problem. Nothing should
> really be owned by "nobody" -- isn't that the purpose of the unprivileged
> user?
>
> If files/directories should be owned by nobody, please share some
> examples.
This is on a 7.1 box. It doesn't have a full install on it so there may
possibly be more. I'm not running a proxy either. My guess (just a guess!) is
files used by the proxy may also owned by nobody.
# find / -user nobody -ls
294913 1 drwxr-xr-x 2 nobody bin 1024 Aug 3 04:41
/var/spool/locate
294914 884 -rw-r--r-- 1 nobody nogroup 904693 Aug 3 04:41
/var/spool/locate/locatedb
155654 1 drwxr-xr-x 2 nobody nobody 1024 Mar 20 02:58
/var/cache/proxy
dentonj
