rwmaillists at googlemail.com
Tue Dec 18 22:44:32 UTC 2012
On Tue, 18 Dec 2012 22:53:29 +0100
> On Tue, 18 Dec 2012 21:32:50 +0000, RW wrote:
> > On Tue, 18 Dec 2012 21:01:33 +0000 (UTC)
> > Walter Hurry wrote:
> > > $ sudo /usr/libexec/locate.updatedb
> > > >>> WARNING
> > > >>> Executing updatedb as root. This WILL reveal all filenames
> > > >>> on your machine to all login users, which is a security risk.
> > > $
> > >
> > > Why is it a "security risk"? Security through obscurity? Really?
> > > In this day and age?
> > >
> > > Or am I missing something?
> > If permissions have been set to prevent other users reading
> > filenames then obviously leaking file names is security issue.
> There are no "leaking file names",
There is from the perspective of an ordinary user that's configured
directories under ~ to be confidential.
> as by command, the tool does
> what it is requested to: to not obey the restrictions that apply
> in its _normal_ use and list _all_ file names instead.
Obviously. But the warning is intended for people that haven't
thought through the consequences of what they are doing.
On Tue, 18 Dec 2012 22:49:43 +0100
Bas Smeelen wrote:
> Yes. But as stated before it defaults to run as user nobody.
> Line 26 /etc/periodic/weekly/310.locate
> echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
This is true but not very relevant.
It runs as nobody from the periodic script, but the warning comes from
locate.updatedb itself, which may be run independently of 310.locate.
> If someone runs it as root it can be, as everything being run as
> root, a security issue.
Not really, mostly when things are run as root there is an additional
risk. Very few things do the wrong thing simply as a consequence of
running as root so it warrants a warning.
More information about the freebsd-questions