Re: locate

[juphoff () tarsier cv nrao edu (Jeff Uphoff)]

"IO" == Ian Otsane <insanity () acidtrip alaska edu> writes:

IO> There is a minor problem with the "locate" command that comes with
IO> linux (or perhaps other machines too).  You can use it to look into
IO> other people's directorys (assuming that you keep the database up to
IO> date, and the database file is world readable, as is the default).
IO> Just type "locate /home/username" and you get a complete list of
IO> what they have.  A possible modification to fix this would be to
IO> either make the locate database chmod 600 (which would deny everyone
IO> all access) or to make updatedb only record entries which are in
IO> world readable directories.

This subject has been discussed quite a bit (read: almost beaten into
the ground) on the linux-security list(s).

Personally, I run the 'find' commands within 'updatedb' as "nobody," but
that requires hacking the script.

--Up.

P.S.  'update' and 'locate' are part of the GNU 'find' package; they're
not Linux-specific code.

--
Jeff Uphoff - systems/network admin.  |  juphoff () nrao edu
National Radio Astronomy Observatory  |  juphoff () bofh org uk
Charlottesville, VA, USA              |  jeff.uphoff () linux org
    PGP key available at: http://www.cv.nrao.edu/~juphoff/