From owner-freebsd-questions Mon Apr 23 18:42:20 2001 Delivered-To: freebsd-questions@freebsd.org Received: from itouch.co.nz (itouch.co.nz [203.99.66.188]) by hub.freebsd.org (Postfix) with ESMTP id C5C3B37B42C for ; Mon, 23 Apr 2001 18:42:16 -0700 (PDT) (envelope-from jonc@itouch.co.nz) Received: (from jonc@localhost) by itouch.co.nz (8.11.2/8.11.1) id f3O1g5C04678; Tue, 24 Apr 2001 13:42:05 +1200 (NZST) (envelope-from jonc) Date: Tue, 24 Apr 2001 13:42:05 +1200 From: Jonathan Chen To: hulk Cc: questions Subject: Re: problem??? in /etc/periodic/weekly/310.locate ??? Message-ID: <20010424134205.A4027@itouchnz.itouch> References: <3AE4BEBF.728C627A@home.com> <20010424120640.A98872@itouchnz.itouch> <3AE4CCA2.B2FED509@home.com> <20010424124934.B99763@itouchnz.itouch> <3AE4D673.25BA2162@home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE4D673.25BA2162@home.com>; from hulk-baillie@home.com on Mon, Apr 23, 2001 at 09:27:15PM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Apr 23, 2001 at 09:27:15PM -0400, hulk wrote: > I am logged in as root and direct execution of the periodic script > says "permision denied". > If "nobody" is added to the "wheel" group the script is directly > executable. > I therefor doubt that the script and/or su run{s} as you say. The > locate.database mod time > will be change by the "touch" cmd but file will not be updated. > > Am I on the wrong track? Yup. The su-behaviour you describe for `nobody:wheel' is incorrect, easily provable on any fresh install of 4.X; root can su to anyone, wheel group constaints are only required to su to root. What I suspect is that one of the executables that is invoked by the script has got the wrong permissions on it; ie it's got o= instead of o=rx, that's why when you add nobody to the wheel group (which is very bad a security risk), you can run the 310.locate script. Check the permissions on /usr/libexec/locate.*. They should be root:wheel with permissions of 555. If these look good, you may have to do a `mtree' to clobber all your system permissions back into place. -- Jonathan Chen ---------------------------------------------------------------------- The Internet: an empirical test of the idea that a million monkeys banging on a million keyboards can produce Shakespeare To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message