From owner-freebsd-security Sun Apr 21 10:27:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from DNS2.alterity.net (dns2.alterity.net [198.63.17.11]) by hub.freebsd.org (Postfix) with ESMTP id 2553337B416; Sun, 21 Apr 2002 10:27:16 -0700 (PDT) Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by DNS2.alterity.net (8.11.6/8.11.6) with ESMTP id g3LHPWn06352; Sun, 21 Apr 2002 13:25:33 -0400 (EDT) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.12.3/8.12.3) with ESMTP id g3LHRFAm039533; Sun, 21 Apr 2002 13:27:15 -0400 (EDT) Received: from localhost (danm@localhost) by prime.gushi.org (8.12.3/8.12.3/Submit) with ESMTP id g3LHRFd2039530; Sun, 21 Apr 2002 13:27:15 -0400 (EDT) Date: Sun, 21 Apr 2002 13:27:14 -0400 (EDT) From: "Dan Mahoney, System Admin" To: questions@freebsd.org Cc: security@freebsd.org Subject: Locate revealing contents of root:wheel 700 directories Message-ID: <20020421131741.U39364-100000@prime.gushi.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I noticed that in freeBSD 4.5, locate shows the contents of all folders, even in my previously root:wheel 700 directory, /mnt/var/log. (It's my /var/log directory). I don't recall this being the case previously, and I thought for a moment that it was like the linux slocate, where the locate tool respects permissions (i.e. I wouldn't be able to see the contents of /var/log if I weren't root), but su -ling down to an unprivileged user has confirmed this. I should note that the crontab which calls locate checks for file ownership, but by default, shouldn't the locate utility? -Dan Mahoney -- "And, a special guest, from the future, miss Ria Pischell. Miss Pischell, as you all know, is the inventor of the Statiophonic Oxygenetic Amplifiagraphaphonadelaverberator, and it's pretty hard to imagine life without one of those. -Rufus, Bill & Ted's Bogus Journey --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message