From owner-freebsd-questions@FreeBSD.ORG Tue Dec 18 21:49:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B490EC2 for ; Tue, 18 Dec 2012 21:49:47 +0000 (UTC) (envelope-from b.smeelen@ose.nl) Received: from mail.ose.nl (mail.ose.nl [212.178.134.164]) by mx1.freebsd.org (Postfix) with ESMTP id 9066C8FC0C for ; Tue, 18 Dec 2012 21:49:46 +0000 (UTC) X-Footer: b3NlLm5s Received: from localhost ([127.0.0.1]) by mail.ose.nl (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for freebsd-questions@freebsd.org; Tue, 18 Dec 2012 22:49:43 +0100 Message-ID: <50D0E4F7.9090006@ose.nl> Date: Tue, 18 Dec 2012 22:49:43 +0100 From: Bas Smeelen User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: updatedb? References: <20121218213250.131de35c@gumby.homeunix.com> In-Reply-To: <20121218213250.131de35c@gumby.homeunix.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 21:49:47 -0000 On 12/18/12 22:32, RW wrote: > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC) > Walter Hurry wrote: > >> $ sudo /usr/libexec/locate.updatedb >>>>> WARNING >>>>> Executing updatedb as root. This WILL reveal all filenames >>>>> on your machine to all login users, which is a security risk. >> $ >> >> Why is it a "security risk"? Security through obscurity? Really? In >> this day and age? >> >> Or am I missing something? > If permissions have been set to prevent other users reading filenames > then obviously leaking file names is security issue. Yes. But as stated before it defaults to run as user nobody. Line 26 /etc/periodic/weekly/310.locate echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 No issue there. If someone runs it as root it can be, as everything being run as root, a security issue.