Bugtraq mailing list archives
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: Josh Smith <josh () viper falcon-networks com>
Date: Wed, 1 Aug 2001 16:04:17 -0400 (EDT)
In slackware, it is constantly owned by nobody. However, even if it is only owned for nobody for a certain period of time, it just creates a race condition and is still "a problem."
This don't say whether the locate database is always owned by nobody or just temporary. (I am not at a slackware box.) I am just curious, because some operating systems first create the database as nobody and then immediately change the ownership (via a weekly cron job for example). If it is just temporary, then I assume an exploit must be timed. But, if it always owned by nobody, then that is a problem. Nothing should really be owned by "nobody" -- isn't that the purpose of the unprivileged user?
Current thread:
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Linux Mailing Lists (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeffrey Denton (Aug 03)
- <Possible follow-ups>
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Olaf Bohlen (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Brian Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Dylan Griffiths (Aug 02)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Felipe Franciosi (Aug 06)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Nasir Simbolon (Aug 02)