Date: Mon, 30 Sep 2024 20:55:12 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: Jamie Landeg-Jones <jamie@catflap.org>, freebsd-current@FreeBSD.org Subject: Re: weekly locate error Was: September 2024 stabilization week Message-ID: <21c4125f-0ac0-46f4-9f5c-9f14a3e7e397@FreeBSD.org> In-Reply-To: <202410010036.4910aIoW095390@donotpassgo.dyslexicfish.net> References: <ZvEgC9ak7paxygYw@cell.glebi.us> <ZvRze1gldJTCvjir@cell.glebi.us> <Zvh-8cMF_HtOJ3uu@int21h> <Zvrp25zS9thDe3ak@cell.glebi.us> <3313f951-4f9e-4298-bbd8-f82c5a15a0e3@protected-networks.net> <ZvsTQu_LQFHs1lnN@cell.glebi.us> <ZvsX9qOI_bSAL7Mj@int21h> <f01f6af0-d9f2-482c-b2b0-1d86937c86fa@FreeBSD.org> <202410010036.4910aIoW095390@donotpassgo.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/30/24 19:36, Jamie Landeg-Jones wrote: > Kyle Evans <kevans@FreeBSD.org> wrote: > >> It might be that the better long-term approach is to teach updatedb.sh >> how to drop privileges and push that out of the periodic script to avoid >> surprises like this from the different execution environments. This >> /feels/ like the kind of thing we could take an opinionated stance on, >> maybe providing an escape hatch of some sort if someone really wants to >> complain that they can't document all filenames on the system. > > This is how it already works. It calls locate.updatedb as "nobody", so > only files readable by "nobody" are indexed: > > echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 Yes, my proposal is that it stops doing that and we teach updatedb to handle the priv-dropping instead, so that you get the same behavior no matter how you execute it. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21c4125f-0ac0-46f4-9f5c-9f14a3e7e397>