Bugtraq mailing list archives
Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate
From: Dylan Griffiths <Dylan_G () bigfoot com>
Date: Thu, 02 Aug 2001 18:07:00 -0600
Brian Smith wrote:
It's apparently something that's changed in later versions of Slackware. Here's one from my machine, which was originally Slack3.5 (before going through several upgrades, of course): -rw-r--r-- 1 root root 740500 Aug 1 04:03 locatedb
This happened because: # This updates the database for 'locate' every day: 40 04 * * * cd / ; updatedb 1> /dev/null 2> /dev/null was moved from /var/spool/cron/crontabs/root to /var/spool/cron/crontabs/nobody Because, when run as root, everyone who ran GNU locate could see whatever files root could see (such as other people's how directories). I suggest you either upgrade Slackware to slocate ( http://www.geekreview.org/slocate/ ) which is safe to run as root since its locate will check if you're allowed to see the files in shows, or assign each subsystem its own UID (which is a good idea anyways :)). Hopefully someone who con officially fix Slackware (Pat, Dave, Chris, etc) can get a solid fix into the base distro. -- www.kuro5hin.org -- technology and culture, from the trenches.
Current thread:
- Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Linux Mailing Lists (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Josh Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeffrey Denton (Aug 03)
- <Possible follow-ups>
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Olaf Bohlen (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Brian Smith (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Dylan Griffiths (Aug 02)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Felipe Franciosi (Aug 06)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Jeremy C. Reed (Aug 01)
- Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate Nasir Simbolon (Aug 02)