From owner-freebsd-security  Fri Apr 24 13:30:19 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA23198
          for freebsd-security-outgoing; Fri, 24 Apr 1998 13:30:19 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-48.waterford.indigo.ie [194.125.139.111])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22959
          for <freebsd-security@FreeBSD.ORG>; Fri, 24 Apr 1998 13:29:40 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id VAA00581;
	Fri, 24 Apr 1998 21:25:38 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804242025.VAA00581@indigo.ie>
Date: Fri, 24 Apr 1998 21:25:38 +0000
In-Reply-To: Nicholas Charles Brawn <ncb05@uow.edu.au>
       "Re: Symlinks again..." (Apr 24,  8:40pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Nicholas Charles Brawn <ncb05@uow.edu.au>, freebsd-security@FreeBSD.ORG
Subject: Re: Symlinks again...
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Apr 24,  8:40pm, Nicholas Charles Brawn wrote:
} Subject: Re: Symlinks again...
> 
> Upon a little debate over whether or not /etc/weekly su's to nobody before
> running locate.updatedb, I checked it out myself.
> 
> >From /etc/weekly:
> echo ""
> echo "Rebuilding locate database:"
> locdb=/var/db/locate.database
> touch ${locdb}; chown nobody ${locdb}; chmod 644 ${locdb}
> echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody 2>&1 |\
>         fgrep -v 'Permission denied'        ^^^^^^^^^^^^^ 
> chmod 444 ${locdb}
> 
> I stand corrected. :)

The code is still wrong though, an account is compromisable.  I
would submit a PR.  mktemp(1) should be ported to -stable to make
fixing/avoiding this type of thing easier.  Any takers?

Niall


-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message