Re: Opinions sought: mlocate appropriate for Priority: standard?
Joey Hess writes ("Re: Opinions sought: mlocate appropriate for Priority: standard?"):
> Given the security history of slocate, and since mlocate has a similar
> design from a security POV, it would be good to get a thurough audit of
> mlocate, perhaps trying some of the same holes. At least it doesn't seem
> to be vulnerable to the attack described in CVE-2007-0227.
I think setgid is entirely the wrong approach here. And these kind of
vulnerabilities are an inevitable consequence.