From owner-freebsd-questions@FreeBSD.ORG Tue Dec 18 21:53:28 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2659204 for ; Tue, 18 Dec 2012 21:53:28 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id AB7658FC14 for ; Tue, 18 Dec 2012 21:53:28 +0000 (UTC) Received: from r56.edvax.de (port-92-195-94-87.dynamic.qsc.de [92.195.94.87]) by mx02.qsc.de (Postfix) with ESMTP id AE28424801; Tue, 18 Dec 2012 22:53:27 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id qBILrTbR003784; Tue, 18 Dec 2012 22:53:29 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Tue, 18 Dec 2012 22:53:29 +0100 From: Polytropon To: RW Subject: Re: updatedb? Message-Id: <20121218225329.f465fc6a.freebsd@edvax.de> In-Reply-To: <20121218213250.131de35c@gumby.homeunix.com> References: <20121218213250.131de35c@gumby.homeunix.com> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 21:53:29 -0000 On Tue, 18 Dec 2012 21:32:50 +0000, RW wrote: > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC) > Walter Hurry wrote: > > > $ sudo /usr/libexec/locate.updatedb > > >>> WARNING > > >>> Executing updatedb as root. This WILL reveal all filenames > > >>> on your machine to all login users, which is a security risk. > > $ > > > > Why is it a "security risk"? Security through obscurity? Really? In > > this day and age? > > > > Or am I missing something? > > If permissions have been set to prevent other users reading filenames > then obviously leaking file names is security issue. There are no "leaking file names", as by command, the tool does what it is requested to: to not obey the restrictions that apply in its _normal_ use and list _all_ file names instead. See /etc/periodic/weekly/310.locate for example: The default call of locate.updatedb is this: echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 The program (script) will additionally honor settings in the /etc/locate.rc file. So if the questioned use of "sudo /usr/libexec/locate.updatedb" to run it as root (with _all_ permissions!) leads to the intended behaviour, i. e. list _all_ files on the system, that isn't actually a leak, I'd say. (Terminology: A leak would appear if you'd run locate.updatedb with the "nobody" user, and still file names from inside a o-rwx directory would appear!) I really like the analogy provided by Devin Teske in his reply: When you run updatedb as root, it traverses all directories even those that you may have posted a big "keep out" sign on (aforementioned "chmod"). Then every non-privileged user on the system can list the contents of your secret hideout with the "keep out" sign posted on it. You might have well built that house out of glass (they can't read the contents of the books on your bookshelf, but they can see the covers and know what you've got stocked on the shelves). Again: If that's intended, locate.updatedb will act as instructed. Oh behold the unlimited power of root. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...