From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 18 21:49:47 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 0B490EC2
 for <freebsd-questions@freebsd.org>; Tue, 18 Dec 2012 21:49:47 +0000 (UTC)
 (envelope-from b.smeelen@ose.nl)
Received: from mail.ose.nl (mail.ose.nl [212.178.134.164])
 by mx1.freebsd.org (Postfix) with ESMTP id 9066C8FC0C
 for <freebsd-questions@freebsd.org>; Tue, 18 Dec 2012 21:49:46 +0000 (UTC)
X-Footer: b3NlLm5s
Received: from localhost ([127.0.0.1]) by mail.ose.nl
 (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits))
 for freebsd-questions@freebsd.org; Tue, 18 Dec 2012 22:49:43 +0100
Message-ID: <50D0E4F7.9090006@ose.nl>
Date: Tue, 18 Dec 2012 22:49:43 +0100
From: Bas Smeelen <b.smeelen@ose.nl>
User-Agent: Mozilla/5.0 (X11; FreeBSD i386;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: updatedb?
References: <kaqljd$gj4$1@ger.gmane.org>
 <20121218213250.131de35c@gumby.homeunix.com>
In-Reply-To: <20121218213250.131de35c@gumby.homeunix.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2012 21:49:47 -0000

On 12/18/12 22:32, RW wrote:
> On Tue, 18 Dec 2012 21:01:33 +0000 (UTC)
> Walter Hurry wrote:
>
>> $ sudo /usr/libexec/locate.updatedb
>>>>> WARNING
>>>>> Executing updatedb as root.  This WILL reveal all filenames
>>>>> on your machine to all login users, which is a security risk.
>> $
>>
>> Why is it a "security risk"? Security through obscurity? Really? In
>> this day and age?
>>
>> Or am I missing something?
> If permissions have been set to prevent other users reading filenames
> then obviously leaking file names is security issue.

Yes. But as stated before it defaults to run as user nobody.

Line 26 /etc/periodic/weekly/310.locate
echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3

No issue there.

If someone runs it as root it can be, as everything being run as root, a 
security issue.