Re: Security: non-root users may have access to the slocate database

To: debian-user@lists.debian.org
Subject: Re: Security: non-root users may have access to the slocate database
From: Vincent Lefevre <vincent@vinc17.org>
Date: Tue, 7 Dec 2004 17:17:31 +0100
Message-id: <[🔎] 20041207161730.GE3020@ay.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20041207135730.GB2509@jam.samwatkins.homeunix.net>
References: <[🔎] 20041207092203.GX3020@ay.vinc17.org> <[🔎] 20041207135730.GB2509@jam.samwatkins.homeunix.net>

On 2004-12-08 00:57:30 +1100, Sam Watkins wrote:
> Can you tell us steps to reproduce the bug? If you can give
> instructions on how to reproduce it, I'll try to work out how to fix
> it.

First, my /etc/nsswitch.conf file contains:

group:          files nis

so that groups local to the machine have the precedence. There is
a slocate group in NIS:

dixsept:~# ypmatch slocate group
slocate:*:21:root   # pour linux

but not yet locally. /etc/group contains a group with the same gid 21:

fax:x:21:

that comes from the initial Debian installation. This means that
the NIS slocate group is not visible. Then I install slocate with
"apt-get install slocate". This gives:

Unpacking slocate (from .../slocate_2.7-4_i386.deb) ...
Adding `diversion of /usr/bin/locate to /usr/bin/locate.notslocate by slocate'
Adding `diversion of /usr/bin/updatedb to /usr/bin/updatedb.notslocate by slocate'
Adding `diversion of /usr/share/man/man1/locate.1.gz to /usr/share/man/man1/locate.notslocate.1.gz by slocate'
Adding `diversion of /usr/share/man/man1/updatedb.1.gz to /usr/share/man/man1/updatedb.notslocate.1.gz by slocate'
Adding `diversion of /etc/cron.daily/find to /etc/cron.daily/find.notslocate by slocate'
Setting up slocate (2.7-4) ...

WARNING: You should run '/etc/cron.daily/slocate' as root. locate will not work
properly until you do or until it is run by cron (it is daily).

without any error concerning the groups. The installed binary is
setgid fax, which is incorrect:

-rwxr-sr-x  1 root fax 27064 2004-09-14 07:48:59 /usr/bin/slocate

In the postinst script, everything occurs as if the slocate group
were visible. Probably a bug in nis, then. For instance:

dixsept:~# touch blah
dixsept:~# ls -l blah
-rw-r--r--  1 root root 0 2004-12-07 17:16:09 blah
dixsept:~# chown root.slocate blah 
dixsept:~# ls -l blah
-rw-r--r--  1 root fax 0 2004-12-07 17:16:09 blah

-- 
Vincent Lefèvre <vincent@vinc17.org> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA

Reply to:

References:
- Security: non-root users may have access to the slocate database
  - From: Vincent Lefevre <vincent@vinc17.org>
- Re: Security: non-root users may have access to the slocate database
  - From: Sam Watkins <swatkins@fastmail.fm>

Prev by Date: Re: File-->Quit doesn't work any more: A firefox bug?
Next by Date: Re: devfs_mk_cdev question
Previous by thread: Re: Security: non-root users may have access to the slocate database
Next by thread: StarOffice7 - revisited
Index(es):
- Date
- Thread