Date: Tue, 18 Dec 2012 22:49:43 +0100 From: Bas Smeelen <b.smeelen@ose.nl> To: freebsd-questions@freebsd.org Subject: Re: updatedb? Message-ID: <50D0E4F7.9090006@ose.nl> In-Reply-To: <20121218213250.131de35c@gumby.homeunix.com> References: <kaqljd$gj4$1@ger.gmane.org> <20121218213250.131de35c@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/18/12 22:32, RW wrote: > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC) > Walter Hurry wrote: > >> $ sudo /usr/libexec/locate.updatedb >>>>> WARNING >>>>> Executing updatedb as root. This WILL reveal all filenames >>>>> on your machine to all login users, which is a security risk. >> $ >> >> Why is it a "security risk"? Security through obscurity? Really? In >> this day and age? >> >> Or am I missing something? > If permissions have been set to prevent other users reading filenames > then obviously leaking file names is security issue. Yes. But as stated before it defaults to run as user nobody. Line 26 /etc/periodic/weekly/310.locate echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 No issue there. If someone runs it as root it can be, as everything being run as root, a security issue.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D0E4F7.9090006>