Bugtraq mailing list archives
Re: Problem with default slackware crontabs
From: jared () wolverine hq cic net (Jared Mauch)
Date: Tue, 24 Dec 1996 21:31:54 -0500
Updatedb is intended to be run as the "nobody" user, so you could
point symlinks and whatnot elsewhere in the differnet tmp locations,
and in a home directory (if your system has a home directory for
the nobody user).
This should be fixed by the folks at gnu. I've cc:ed them here.
- Jared
Jon Snyder graced my mailbox with this long sought knowledge:
Using Slackware 3.0, I noticed a problem with the default root crontab. It runs updatedb at 7:40 a.m. every day, but unforunately updatedb has a temporary file security problem--it doesn't check for symlinks (or if the file exists, for that matter). updatedb will write to /var/tmp (or /usr/tmp), and although the filename includes the PID of the shell the script is running under, a vulnerability still exists. I've taken updatedb out of my crontab, because locate is never used on my system. However, it might be wise to modify the script so as to prevent exploits from compromising your systems. Jon Snyder Student Network Technician, FNSBSD (907) 452-2000 x. 376
Current thread:
- Problem with default slackware crontabs Jon Snyder (Dec 24)
- Re: Problem with default slackware crontabs Jared Mauch (Dec 24)
- Re: Problem with default slackware crontabs, /tmp symlinks Jon Snyder (Dec 24)
- Re: Problem with default slackware crontabs, /tmp symlinks Marc Slemko (Dec 24)
- Re: Problem with default slackware crontabs, /tmp symlinks Jon Snyder (Dec 24)
- <Possible follow-ups>
- Re: Problem with default slackware crontabs Andi Gutmans (Dec 25)
- Re: Problem with default slackware crontabs Jared Mauch (Dec 24)