Bugtraq mailing list archives
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: Olaf Bohlen <firefox () is sun-powered de>
Date: Wed, 1 Aug 2001 22:21:37 +0200 (MEST)
Hi,
This don't say whether the locate database is always owned by nobody or just temporary. (I am not at a slackware box.) I am just curious,
because This is on my Slackware 8 box: freyr:/var/spool/locate# ls -l locatedb -rw-r--r-- 1 nobody nogroup 1664857 Aug 1 04:42 locatedb And this remains as nobody/nogroup. But: no user (except root) should be able to gain access to nobody. so this is not a security hole imho. Also if you run apache-cgi's as user, apache chowns to the owner of the cgi before executing it: -- snip -- #!/bin/sh echo "Content-type: text/plain" echo echo -n "Running cgi as: " id echo "Running httpd as: " ps -ef | grep httpd | head -1 -- snip -- reports when executed by apache: Running cgi as: uid=4109(dackel) gid=80(www) groups=80(www) Running httpd as: www 24330 23441 0 00:42 ? 00:00:27 /usr/local/apache/bin/httpd -DSS so, i don't see a problem here. Cheers -- -- Olaf Bohlen --------------------- cell +49-172-4561817 -- -- Maxfeldstrasse 16 --- mail <firefox () is sun-powered de> -- -- 90409 Nuernberg ------ http http://www.sun-powered.de/ -- -- Germany ---------------------- irc firefox01 (IRC-Net) -- -- ------------------------------------------------------ --
Current thread:
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Linux Mailing Lists (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeffrey Denton (Aug 03)
- <Possible follow-ups>
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Olaf Bohlen (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Brian Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Dylan Griffiths (Aug 02)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Felipe Franciosi (Aug 06)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Nasir Simbolon (Aug 02)