Bugtraq mailing list archives
Re: locate
From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Wed, 17 Jul 1996 14:49:18 -0400
"IO" == Ian Otsane <insanity () acidtrip alaska edu> writes: IO> There is a minor problem with the "locate" command that comes with IO> linux (or perhaps other machines too). You can use it to look into IO> other people's directorys (assuming that you keep the database up to IO> date, and the database file is world readable, as is the default). IO> Just type "locate /home/username" and you get a complete list of IO> what they have. A possible modification to fix this would be to IO> either make the locate database chmod 600 (which would deny everyone IO> all access) or to make updatedb only record entries which are in IO> world readable directories. This subject has been discussed quite a bit (read: almost beaten into the ground) on the linux-security list(s). Personally, I run the 'find' commands within 'updatedb' as "nobody," but that requires hacking the script. --Up. P.S. 'update' and 'locate' are part of the GNU 'find' package; they're not Linux-specific code. -- Jeff Uphoff - systems/network admin. | juphoff () nrao edu National Radio Astronomy Observatory | juphoff () bofh org uk Charlottesville, VA, USA | jeff.uphoff () linux org PGP key available at: http://www.cv.nrao.edu/~juphoff/
Current thread:
- Re: locate Jeff Uphoff (Jul 17)