[2958] in bugtraq
Re: locate
daemon@ATHENA.MIT.EDU (Christian Limpach)
Wed Jul 17 18:04:44 1996
Date: Wed, 17 Jul 1996 22:52:29 +0200
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Christian Limpach <Christian.Limpach@nice.ch>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199607170654.WAA00710@acidtrip.alaska.edu> (message from Ian
Otsane on Tue, 16 July 1996 22:54:10 -0800)
> There is a minor problem with the "locate" command that comes with
> linux (or perhaps other machines too). You can use it to look into
> other people's directorys (assuming that you keep the database up to
> date, and the database file is world readable, as is the default).
> Just type "locate /home/username" and you get a complete list of
> what they have. A possible modification to fix this would be to
> either make the locate database chmod 600 (which would deny everyone
> all access) or to make updatedb only record entries which are in
> world readable directories.
The locate database here is only accessible by user locatedb, locate
is setuid locatedb to open the database and will then stat files as
the user before revealing their names. Since the number of files to
check is usually quite small, this doesn't really slow down
locate...
A patch to findutil-4.1's locate.c is available as
ftp://nice.ethz.ch/users/chris/findutils-4.1.locate.patch
A script which installs a user (under nextstep) and generates a script
to run updatedb so that locatedb will not be world-readable during
update is available as
ftp://nice.ethz.ch/users/chris/findutils-4.1.locate.after.inst.sh
christian
--
Christian Limpach, CS-Student @ ETH Zurich, Switzerland.
http://nice.ethz.ch/~chris --- System-Administration VIS/NiCE
member of the managing board of VIS (http://www.vis.inf.ethz.ch/)
