Date: Tue, 18 Dec 2012 22:44:25 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: updatedb? Message-ID: <20121218224425.49f2f481@gumby.homeunix.com> In-Reply-To: <20121218225329.f465fc6a.freebsd@edvax.de> References: <kaqljd$gj4$1@ger.gmane.org> <20121218213250.131de35c@gumby.homeunix.com> <20121218225329.f465fc6a.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Dec 2012 22:53:29 +0100 Polytropon wrote: > On Tue, 18 Dec 2012 21:32:50 +0000, RW wrote: > > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC) > > Walter Hurry wrote: > > > > > $ sudo /usr/libexec/locate.updatedb > > > >>> WARNING > > > >>> Executing updatedb as root. This WILL reveal all filenames > > > >>> on your machine to all login users, which is a security risk. > > > $ > > > > > > Why is it a "security risk"? Security through obscurity? Really? > > > In this day and age? > > > > > > Or am I missing something? > > > > If permissions have been set to prevent other users reading > > filenames then obviously leaking file names is security issue. > > There are no "leaking file names", There is from the perspective of an ordinary user that's configured directories under ~ to be confidential. > as by command, the tool does > what it is requested to: to not obey the restrictions that apply > in its _normal_ use and list _all_ file names instead. Obviously. But the warning is intended for people that haven't thought through the consequences of what they are doing. On Tue, 18 Dec 2012 22:49:43 +0100 Bas Smeelen wrote: > Yes. But as stated before it defaults to run as user nobody. > > Line 26 /etc/periodic/weekly/310.locate > echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 This is true but not very relevant. It runs as nobody from the periodic script, but the warning comes from locate.updatedb itself, which may be run independently of 310.locate. > If someone runs it as root it can be, as everything being run as > root, a security issue. Not really, mostly when things are run as root there is an additional risk. Very few things do the wrong thing simply as a consequence of running as root so it warrants a warning.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121218224425.49f2f481>