From owner-freebsd-questions@FreeBSD.ORG Tue Dec 18 23:10:34 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3D96124 for ; Tue, 18 Dec 2012 23:10:34 +0000 (UTC) (envelope-from b.smeelen@ose.nl) Received: from mail.ose.nl (mail.ose.nl [212.178.134.164]) by mx1.freebsd.org (Postfix) with ESMTP id 325EB8FC19 for ; Tue, 18 Dec 2012 23:10:33 +0000 (UTC) X-Footer: b3NlLm5s Received: from localhost ([127.0.0.1]) by mail.ose.nl (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for freebsd-questions@freebsd.org; Wed, 19 Dec 2012 00:10:31 +0100 Message-ID: <50D0F7E7.2070809@ose.nl> Date: Wed, 19 Dec 2012 00:10:31 +0100 From: Bas Smeelen User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: updatedb? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 23:10:34 -0000 On 12/18/12 23:04, C. P. Ghost wrote: > On Tue, Dec 18, 2012 at 10:01 PM, Walter Hurry wrote: >> $ sudo /usr/libexec/locate.updatedb >>>>> WARNING >>>>> Executing updatedb as root. This WILL reveal all filenames >>>>> on your machine to all login users, which is a security risk. >> $ >> >> Why is it a "security risk"? Security through obscurity? Really? In this >> day and age? >> >> Or am I missing something? > Suppose someone managed to start a shell under your account > and is seeking to escalate privileges, i.e. to become root. If he can > look at a full unrestricted locatedb, he may pay particular attention > to config files, log files etc... that may otherwise be hidden from sight. > > Just by looking at this, he may infer that a particular software package > at a particular revision is actually running on that host and is configured > in a particular way. E.g., he may see that logfiles accumulate in /var/log > and are cleaned only once a week. It would be then easy to induce that > program to create more log files, thus denying service to other programs > that need /var as well. This, in turn, could result in real exploits of those > other programs... > > Sure, most of this is already world-visible and in the regular locatedb > because we're so liberal with the rights of /var/db/pkg, /var/log, /etc, ... but > some admins prefer to hide particularly sensitive programs, their configs, > logs etc., in a non-world-readable directory hierarchy. Running > locate.updatedb(8) with root privileges would defeat that strategy. > That's why it is discouraged. > > Of course, this is even more necessary when you have regular users on > that machine that don't necessarily trust each others. They wouldn't like > their home dirs to be world-readable by default by everyone else. Maybe > they won't object (and set /home/$USER to -rwxr-xr-x instead of -rwxr-x--- > or -rwx------) but that's their call, not the sysadmin's. > > -cpghost. > Sorry, cpghost, I missed the point. Clear explanation. Should such programs be modified so there is never a change to being run as root? I guess there are environments where measures like these are taken, no warning, just refuse to run as root?