Date: Thu, 20 Sep 2001 20:57:07 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-audit@freebsd.org Subject: Misuse of 'nobody' user for locate(1) Message-ID: <20010920205706.A3050@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
The original purpose of the 'nobody' user was for "anonymous" NFS
access. This is the account to which the superuser on a remote system
is mapped. The idea is to have a user that owns no files on the
system nor is a member of a group that has group ownership of a
file. File acesss for this user is always determined by the world
permission bits.
This user continues to be used for this purpose and others as
well. Other systems, like Samba, can use 'nobody' as the 'GUEST' user
where again we want a user who only passes world permission
bits. The FreeBSD base system has a special uses for 'nobody.'
However, one of these has an implementation flaw.
When building the locate(1) database, the 'nobody' user is used. This
makes perfect sense. Since 'nobody' has no user or group ownership or
special access to files, we get a locate(1) database that only
contains files that everyone can see. However, there is a small bug in
the implementation, the resulting database is owned by 'nobody.' This
violates one of the primary features 'nobody' is meant to have. Let me
say it again, THE 'nobody' USER SHOULD OWN NO FILES ON THE SYSTEM.
Now fixing this is rather straightforward. As the things stand in the
weekly scripts, the database file is created by 'root,' chowned to
'nobody,' and then the update script is run as 'nobody.' The update
script writes the file; this is why the file must be writeable by
'nobody.' My solution is to have the update script write its output to
stdout. In this way, 'root' can simply redirect the output of the
update script, which is being run under 'nobody,' and the file does
not need to be owned by or writeable by 'nobody.'
To do this, I gutted the ability of the update script to write to a
specific file. It always writes to stdout. This makes sense to me. To
have the weekly script 310.locate work properly, the database location
needed to be specified in two locations, in the update script
(/usr/libexec/locatedb) or its configuration file (/etc/locate.rc) as
well as in 310.locate. I see no reason for the script to have this
ability on its own. The location only need be defined in 310.locate.
Here are the patches. Any comments about them or the whole idea of
eliminating 'nobody' ownership of files? Thanks.
Index: src/etc/periodic/weekly/310.locate
===================================================================
RCS file: /export/ncvs/src/etc/periodic/weekly/310.locate,v
retrieving revision 1.6
diff -u -r1.6 310.locate
--- src/etc/periodic/weekly/310.locate 2000/09/14 17:19:13 1.6
+++ src/etc/periodic/weekly/310.locate 2001/09/21 03:14:09
@@ -18,12 +18,9 @@
locdb=/var/db/locate.database
- touch $locdb && rc=0 || rc=3
- chown nobody $locdb || rc=3
- chmod 644 $locdb || rc=3
-
cd /
- echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody || rc=3
+ { echo /usr/libexec/locate.updatedb |
+ nice -5 su -fm nobody; } > $locdb || rc=3
chmod 444 $locdb || rc=3;;
*) rc=0;;
Index: src/usr.bin/locate/locate/updatedb.sh
===================================================================
RCS file: /export/ncvs/src/usr.bin/locate/locate/updatedb.sh,v
retrieving revision 1.17
diff -u -r1.17 updatedb.sh
--- src/usr.bin/locate/locate/updatedb.sh 2000/01/12 08:01:01 1.17
+++ src/usr.bin/locate/locate/updatedb.sh 2001/09/21 03:49:55
@@ -44,7 +44,6 @@
: ${mklocatedb:=locate.mklocatedb} # make locate database program
-: ${FCODES:=/var/db/locate.database} # the database
: ${SEARCHPATHS:="/"} # directories to be put in the database
: ${PRUNEPATHS:="/tmp /usr/tmp /var/tmp"} # unwanted directories
: ${FILESYSTEMS:="ufs"} # allowed filesystems
@@ -81,8 +80,8 @@
$mklocatedb -presort > $tmp
then
case X"`$find $tmp -size -257c -print`" in
- X) cat $tmp > $FCODES;;
- *) echo "updatedb: locate database $tmp is empty"
+ X) cat $tmp;;
+ *) echo "updatedb: locate database $tmp is empty" >&2
exit 1
esac
fi
Index: src/usr.bin/locate/locate/locate.rc
===================================================================
RCS file: /export/ncvs/src/usr.bin/locate/locate/locate.rc,v
retrieving revision 1.8
diff -u -r1.8 locate.rc
--- src/usr.bin/locate/locate/locate.rc 1999/08/28 01:02:59 1.8
+++ src/usr.bin/locate/locate/locate.rc 2001/09/21 03:14:25
@@ -9,9 +9,6 @@
# temp directory
#TMPDIR="/tmp"
-# the actual database
-#FCODES="/var/db/locate.database"
-
# directories to be put in the database
#SEARCHPATHS="/"
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010920205706.A3050>