Package: mlocate Version: 0.26-2 The authors of mlocate need to figure out what their security model is since the documentation and behavior seem to be confused about what the actual model is.
Of crucial note, is the "mlocate" group supposed to be the controlling factor for access to these DB files? After some experimentation I found `mlocate` will NOT provide results from a database file other than /var/lib/mlocate/mlocate.db which is only readable by the "mlocate" group. This seems to contradict mlocate's `updatedb` program which WILL NOT create a database file owned by a group other than "mlocate" without a special option (-l no). If the group is supposed to be the controlling factor, then `mlocate` should provide results from extra database files readable by group "mlocate". True, examining DB files specified by --database or $LOCATE_PATH which are readable by "mlocate", but not the user is hazardous. Yet if the group is properly controlled the hazard is small. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | ehem+sig...@m5p.com PGP 87145445 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ 8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
