Re: 'locate' does not check permissions
On Thu, Jun 07, 2001 at 05:21:52PM -0600, Hubert Chan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "Pedro" == Pedro Zorzenon Neto <pzn@terra.com.br> writes:
>
> Pedro> Hi list, I created a directory /home/pzn/private/ and chmod it
> Pedro> go-rwx to put my private things. Then nobody can see the
> Pedro> contents and files of this directory, right? I've believed it was
> Pedro> true, but other user can do:
>
> Pedro> $ ls -l ~pzn/
> Pedro> ...
> Pedro> drwx--S--- 20 pzn pzn 4096 Mai 16 09:54 private
> Pedro> ...
> Pedro> $ locate private | grep "/home/pzn/private"
> Pedro> the whole contents of my private dir suddenly appears here...
>
> Pedro> Why doesn't locate/updatedb saves the permissions?
That's not their bailiwick. They don't even try. However, the cron job
that runs updatedb on Debian, /etc/cron.daily/find, passes
--localuser=nobody, so only files that nobody can see get into locatedb. If
your system is old and slow, you might want to stick with locate and live
with not being able to locate files in your own private directories.
Otherwise, see if slocate runs fast enough to be worth the tradeoff of speed
for better location capability.
>
> Install the slocate package. It behaves properly.
>
> Then delete your old locate database (/var/lib/locate/locatedb), so that
> people can't use the old locate.
>
> slocate will automatically make a symlink from locate to its own binary,
> so you can still use the "locate" command.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: