From nobody@FreeBSD.org  Sat Feb  9 18:29:52 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 24DFF37B402
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  9 Feb 2002 18:29:52 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g1A2TqT88107;
	Sat, 9 Feb 2002 18:29:52 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200202100229.g1A2TqT88107@freefall.freebsd.org>
Date: Sat, 9 Feb 2002 18:29:52 -0800 (PST)
From: "f. johan beisser" <jan@caustic.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: locate(1)'s database is generated with root permissions
X-Send-Pr-Version: www-1.0

>Number:         34780
>Category:       conf
>Synopsis:       locate(1)'s database is generated with root permissions
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 09 18:30:01 PST 2002
>Closed-Date:    Sun Feb 10 11:50:31 PST 2002
>Last-Modified:  Sun Feb 10 11:51:00 PST 2002
>Originator:     f. johan beisser
>Release:        -CURRENT. problem also exists in -STABLE.
>Organization:
>Environment:
>Description:
      the locate(1) database is generated with root permissions. this allows any user to find the existance of any other users files through the locate(1) command. this means doing a search for any users login, you can get a list of all of the files in their home direcotry, no matter what permissions the file has.

technically, this is a privacy violation by periodic(8). locate.mklocatedb creates the /var/db/locate.database as whoever the invoking user happens to be. since 310.locate (/etc/periodic/weekly/310.locate) is called by root, it doesn't pay any attention to user set permissions while generating the database.
>How-To-Repeat:
      it's repeated every week by periodic(8).
>Fix:
      stop generating the locate database as the root user.

the other option is to set up locate(1) a bit more securely via adjusting the locate.rc (/etc/locate.rc) or by excluding user home directories (/usr/home) automagically.
>Release-Note:
>Audit-Trail:

From: Mike Makonnen <mike_makonnen@yahoo.com>
To: "f. johan beisser" <jan@caustic.org>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/34780: locate(1)'s database is generated with root	permissions
Date: Sun, 10 Feb 2002 02:17:25 -0800

 On Sat, 2002-02-09 at 18:29, f. johan beisser wrote:
 >       the locate(1) database is generated with root permissions. this allows any user to find the existance of any other users files through the locate(1) command. 
 > this means doing a search for any users login, you can get a list of 
 > all of the files in their home direcotry, no matter what permissions 
 > the file has.
 
 Yes, it is called by root, but the script su's to user nobody before
 updating the database.
 
 
 cheers,
 mike makonnen

From: "f.johan.beisser" <jan@caustic.org>
To: Mike Makonnen <mike_makonnen@yahoo.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/34780: locate(1)'s database is generated with root permissions
Date: Sun, 10 Feb 2002 05:46:13 -0800 (PST)

 On Sun, 10 Feb 2002, Mike Makonnen wrote:
 
 > Yes, it is called by root, but the script su's to user nobody before
 > updating the database.
 
 of  course, now that i've gone though this again (3rd times a charm), i
 see the line i wish i'd seen before:
 
     cd /
     echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody || rc=3
     chmod 444 $locdb || rc=3;;
 
 whoops. my brain is failing me today.
 
 -------/ f. johan beisser /--------------------------------------+
   http://caustic.org/~jan                      jan@caustic.org
     "John Ashcroft is really just the reanimated corpse
          of J. Edgar Hoover." -- Tim Triche
 
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Sun Feb 10 11:50:31 PST 2002 
State-Changed-Why:  
Submitter spotted the "su nobody" just after submitting! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=34780 
>Unformatted:
