Re: 'locate' does not check permissions

To: debian-security@lists.debian.org
Subject: Re: 'locate' does not check permissions
From: Jim Breton <jamesb-debian@alongtheway.com>
Date: Thu, 7 Jun 2001 23:56:26 +0000
Message-id: <[🔎] 20010607235626088747.4895@alongtheway.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010607185718.C1534@mantis.autsens.localnet>; from pzn@terra.com.br on Thu, Jun 07, 2001 at 06:57:18PM -0300
References: <[🔎] 20010607185718.C1534@mantis.autsens.localnet>

On Thu, Jun 07, 2001 at 06:57:18PM -0300, Pedro Zorzenon Neto wrote:
>    $ locate private | grep "/home/pzn/private"
>      the whole contents of my private dir suddenly appears here...

Did you run "updatedb" as root anytime recently?

Notice that by default, this command is run (from cron) as user
'nobody,' so any directory he would not be able to read would not appear
in the locate database.

$ cat /etc/cron.daily/find 
#! /bin/sh
#
# cron script to update the `find.codes' database.
#
# Written by Ian A. Murdock <imurdock@debian.org> and 
#            Kevin Dalley <kevin@aimnet.com>

if [ -f /etc/updatedb.conf ]; then
  . /etc/updatedb.conf
fi

cd / && updatedb --localuser=nobody 2>/dev/null

Otoh if you just invoke 'updatedb' as root then every file on every
filesystem scanned will appear in the database, hence producing the
behavior you are seeing.

Reply to:

References:
- 'locate' does not check permissions
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>

Prev by Date: Re: 'locate' does not check permissions
Next by Date: Re: Linux box vs black box
Previous by thread: Re: 'locate' does not check permissions
Next by thread: Re: 'locate' does not check permissions
Index(es):
- Date
- Thread