Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jul 2015 05:39:58 -0500
From:      Scott Bennett <bennett@sdf.org>
To:        freebsd@edvax.de
Cc:        freebsd-questions@freebsd.org
Subject:   Re: limiting find(1) in /etc/periodic scripts
Message-ID:  <201507201039.t6KAdwCU014203@sdf.org>
In-Reply-To: <20150720114036.b83e5116.freebsd@edvax.de>
References:  <201507200910.t6K9A9J6007857@sdf.org> <20150720114036.b83e5116.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Polytropon <freebsd@edvax.de> wrote:

> On Mon, 20 Jul 2015 04:10:09 -0500, Scott Bennett wrote:
> >      What is the best way to keep find(1) in the various /etc/periodic
> > scripts from descending into certain directories?
>
> If I remember correctly, find will only descend into directories
> that have the o+rx attribute (readable by everyone). If you do

     No, it goes wherever it has read access (plus execute access
for directories).  Also, the /etc/periodic scripts get run as root.

> not want a subtree to be searched, make sure it's +rx for the
> owner and +rx for the group, as well as +w where needed, usually
> +rwx for the user. A typical setting then is drwxr-x--- for such
> directories.
>
> There is another problem:
>
> Directories such as /root should not be searched. The problem
> is that there will be an additional information leak, like
>
> 	$ locate system_secrets
> 	/root/system_secrets.txt
>
     Well, that's not a worry because the locate stuff has only
created empty locate databases since sometime in FreeBSD 6.  I've
tried several times without success to get it to work and to get
it to run as "nobody".  It's almost as irritating as the five-
minute stall for vi.recover during multi-user startup.

> And if "descriptive" file names (including names, locations,
> ID numbers, etc.) are involved, well...
>
     That's why the locate.db stuff *should* run as nobody, which
does not have read or execute permission for such directories, but
since it doesn't work anyway, no real harm is done if the permissions
are set wrong in this case (which they are *not*).
     Given that locate doesn't work, which is only run weekly, the
only script I can think of that I want to run against root's
CCACHE_DIR is, as I mentioned before, the SUID security check.
     Thanks for the thoughts, though, Polytropon.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507201039.t6KAdwCU014203>