From owner-freebsd-questions@freebsd.org Mon Jul 20 10:40:08 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14EC79A5483 for ; Mon, 20 Jul 2015 10:40:08 +0000 (UTC) (envelope-from bennett@sdf.org) Received: from sdf.lonestar.org (mx.sdf.org [192.94.73.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.sdf.org", Issuer "SDF.ORG" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E589E886 for ; Mon, 20 Jul 2015 10:40:07 +0000 (UTC) (envelope-from bennett@sdf.org) Received: from sdf.org (IDENT:bennett@otaku.freeshell.org [192.94.73.9]) by sdf.lonestar.org (8.14.8/8.14.5) with ESMTP id t6KAdwQl029423 (using TLSv1/SSLv3 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits) verified NO); Mon, 20 Jul 2015 10:39:58 GMT Received: (from bennett@localhost) by sdf.org (8.14.8/8.12.8/Submit) id t6KAdwCU014203; Mon, 20 Jul 2015 05:39:58 -0500 (CDT) From: Scott Bennett Message-Id: <201507201039.t6KAdwCU014203@sdf.org> Date: Mon, 20 Jul 2015 05:39:58 -0500 To: freebsd@edvax.de Subject: Re: limiting find(1) in /etc/periodic scripts Cc: freebsd-questions@freebsd.org References: <201507200910.t6K9A9J6007857@sdf.org> <20150720114036.b83e5116.freebsd@edvax.de> In-Reply-To: <20150720114036.b83e5116.freebsd@edvax.de> User-Agent: Heirloom mailx 12.5 6/20/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 10:40:08 -0000 Polytropon wrote: > On Mon, 20 Jul 2015 04:10:09 -0500, Scott Bennett wrote: > > What is the best way to keep find(1) in the various /etc/periodic > > scripts from descending into certain directories? > > If I remember correctly, find will only descend into directories > that have the o+rx attribute (readable by everyone). If you do No, it goes wherever it has read access (plus execute access for directories). Also, the /etc/periodic scripts get run as root. > not want a subtree to be searched, make sure it's +rx for the > owner and +rx for the group, as well as +w where needed, usually > +rwx for the user. A typical setting then is drwxr-x--- for such > directories. > > There is another problem: > > Directories such as /root should not be searched. The problem > is that there will be an additional information leak, like > > $ locate system_secrets > /root/system_secrets.txt > Well, that's not a worry because the locate stuff has only created empty locate databases since sometime in FreeBSD 6. I've tried several times without success to get it to work and to get it to run as "nobody". It's almost as irritating as the five- minute stall for vi.recover during multi-user startup. > And if "descriptive" file names (including names, locations, > ID numbers, etc.) are involved, well... > That's why the locate.db stuff *should* run as nobody, which does not have read or execute permission for such directories, but since it doesn't work anyway, no real harm is done if the permissions are set wrong in this case (which they are *not*). Given that locate doesn't work, which is only run weekly, the only script I can think of that I want to run against root's CCACHE_DIR is, as I mentioned before, the SUID security check. Thanks for the thoughts, though, Polytropon. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************