From owner-freebsd-questions@freebsd.org Mon Jul 20 11:31:16 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE60B9A5F0B for ; Mon, 20 Jul 2015 11:31:16 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fileserver.home.qeng-ho.org", Issuer "fileserver.home.qeng-ho.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A7901CD5 for ; Mon, 20 Jul 2015 11:31:16 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.home.qeng-ho.org (8.14.9/8.14.9) with ESMTP id t6KBNi6m011991; Mon, 20 Jul 2015 12:23:45 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <55ACDA40.7040908@qeng-ho.org> Date: Mon, 20 Jul 2015 12:23:44 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Scott Bennett , freebsd@edvax.de CC: freebsd-questions@freebsd.org Subject: Re: limiting find(1) in /etc/periodic scripts References: <201507200910.t6K9A9J6007857@sdf.org> <20150720114036.b83e5116.freebsd@edvax.de> <201507201039.t6KAdwCU014203@sdf.org> In-Reply-To: <201507201039.t6KAdwCU014203@sdf.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2015 11:31:17 -0000 On 20/07/2015 11:39, Scott Bennett wrote: > Polytropon wrote: > >> On Mon, 20 Jul 2015 04:10:09 -0500, Scott Bennett wrote: >>> What is the best way to keep find(1) in the various /etc/periodic >>> scripts from descending into certain directories? To control locate, you can edit /etc/locate.rc to modify PRUNEPATHS suitably. For the rest, I think you'll have to hack the periodic scripts directly. >> >> If I remember correctly, find will only descend into directories >> that have the o+rx attribute (readable by everyone). If you do > > No, it goes wherever it has read access (plus execute access > for directories). Also, the /etc/periodic scripts get run as root. > >> not want a subtree to be searched, make sure it's +rx for the >> owner and +rx for the group, as well as +w where needed, usually >> +rwx for the user. A typical setting then is drwxr-x--- for such >> directories. >> >> There is another problem: >> >> Directories such as /root should not be searched. The problem >> is that there will be an additional information leak, like >> >> $ locate system_secrets >> /root/system_secrets.txt >> > Well, that's not a worry because the locate stuff has only > created empty locate databases since sometime in FreeBSD 6. It's always worked fine for me, I'm currently on 10.1-REL. Do most of your files live on servers rather than the box you're running locate on? By default locate.updatedb does not consider files that are network mounted. To override edit FILESYSTEMS in /etc/locate.conf to control the flavours of filesystem that are searched. Mine has FILESYSTEMS="ufs zfs nfs" > I've > tried several times without success to get it to work and to get > it to run as "nobody". It's almost as irritating as the five- > minute stall for vi.recover during multi-user startup. But building the locate database already runs as nobody. Line 26 of /etc/periodic/weekly/310.locate reads echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 There's an su in the middle of that. If locate.updatedb is actually run as root it complains loudly (but does it anyway as you told it to). -- Those who do not learn from computing history are doomed to GOTO 1