[2957] in bugtraq
Re: locate
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Wed Jul 17 16:20:08 1996
Date: Wed, 17 Jul 1996 14:49:18 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of Tue, July 16, 1996 22:54:10 -0800
"IO" == Ian Otsane <insanity@acidtrip.alaska.edu> writes:
IO> There is a minor problem with the "locate" command that comes with
IO> linux (or perhaps other machines too). You can use it to look into
IO> other people's directorys (assuming that you keep the database up to
IO> date, and the database file is world readable, as is the default).
IO> Just type "locate /home/username" and you get a complete list of
IO> what they have. A possible modification to fix this would be to
IO> either make the locate database chmod 600 (which would deny everyone
IO> all access) or to make updatedb only record entries which are in
IO> world readable directories.
This subject has been discussed quite a bit (read: almost beaten into
the ground) on the linux-security list(s).
Personally, I run the 'find' commands within 'updatedb' as "nobody," but
that requires hacking the script.
--Up.
P.S. 'update' and 'locate' are part of the GNU 'find' package; they're
not Linux-specific code.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/
