Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate

["Jeremy C. Reed" <reed () reedmedia net>]

On Wed, 1 Aug 2001, Josh Smith wrote:

>       In slackware, and possibly other distributions, it is possible to
> modify the locate database if one were to obtain UID nobody.  This allows
> locate to act as a sort of 'trojan' having anyone who executes it
> unknowingly execute potentially malicious code.

This don't say whether the locate database is always owned by nobody or
just temporary. (I am not at a slackware box.) I am just curious, because
some operating systems first create the database as nobody and then
immediately change the ownership (via a weekly cron job for example).

If it is just temporary, then I assume an exploit must be timed.

But, if it always owned by nobody, then that is a problem. Nothing should
really be owned by "nobody" -- isn't that the purpose of the unprivileged 
user?

If files/directories should be owned by nobody, please share some
examples.

Also, if some files are temporarily owned by nobody is this a bad idea?

On a related note, I just saw a nobody-owned mailbox on one of my servers.
The aliases file didn't have nobody aliased. (I'll report this directly to
the OS and package maintainer for the script that generated the aliases
file.)

On Wed, 1 Aug 2001, Linux Mailing Lists wrote:

(relating to webserver running as nobody...)
> Suggested work-around: run httpd under another, "private" user ("www" for
> example) and group, and be sure to disable any kind of interaction between
> users and the web server (cgis, includes, execs...).

And to add to this: using one "www" user and/or group for *all* virtual
domains' CGI is also a bad idea; in many situations, files (and
directories) created and owned by "www" can be unknowingly used/modified
by other websites. "nobody" (or "www") really means "everybody".

   Jeremy C. Reed
   http://www.reedmedia.net/