limiting find(1) in /etc/periodic scripts

Arthur Chance freebsd at qeng-ho.org
Mon Jul 20 11:31:17 UTC 2015 

On 20/07/2015 11:39, Scott Bennett wrote:
> Polytropon <freebsd at edvax.de> wrote:
>
>> On Mon, 20 Jul 2015 04:10:09 -0500, Scott Bennett wrote:
>>>       What is the best way to keep find(1) in the various /etc/periodic
>>> scripts from descending into certain directories?

To control locate, you can edit /etc/locate.rc to modify PRUNEPATHS 
suitably. For the rest, I think you'll have to hack the periodic scripts 
directly.

>>
>> If I remember correctly, find will only descend into directories
>> that have the o+rx attribute (readable by everyone). If you do
>
>       No, it goes wherever it has read access (plus execute access
> for directories).  Also, the /etc/periodic scripts get run as root.
>
>> not want a subtree to be searched, make sure it's +rx for the
>> owner and +rx for the group, as well as +w where needed, usually
>> +rwx for the user. A typical setting then is drwxr-x--- for such
>> directories.
>>
>> There is another problem:
>>
>> Directories such as /root should not be searched. The problem
>> is that there will be an additional information leak, like
>>
>> 	$ locate system_secrets
>> 	/root/system_secrets.txt
>>
>       Well, that's not a worry because the locate stuff has only
> created empty locate databases since sometime in FreeBSD 6.

It's always worked fine for me, I'm currently on 10.1-REL. Do most of 
your files live on servers rather than the box you're running locate on? 
By default locate.updatedb does not consider files that are network 
mounted. To override edit FILESYSTEMS in /etc/locate.conf to control the 
flavours of filesystem that are searched. Mine has

FILESYSTEMS="ufs zfs nfs"

 > I've
> tried several times without success to get it to work and to get
> it to run as "nobody".  It's almost as irritating as the five-
> minute stall for vi.recover during multi-user startup.

But building the locate database already runs as nobody. Line 26 of 
/etc/periodic/weekly/310.locate reads

     echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3

There's an su in the middle of that. If locate.updatedb is actually run 
as root it complains loudly (but does it anyway as you told it to).


-- 
Those who do not learn from computing history are doomed to
GOTO 1

More information about the freebsd-questions mailing list