On Tue, Mar 28, 2006 at 07:04:13PM -0500, Justin Pryzby wrote: > On Tue, Mar 28, 2006 at 02:58:56PM -0800, Kevin Lindsay wrote: > > Well, if you index your filesystem using GNU Locate as root, the > > location to every file will be available to all users. Isn't it > > added security that Secure Locate will preform proper access checks > > to ensure the user is able to see the file location? > On other systems only.
No, you can configure GNU Locate to index as root. Also, if a file is indexed as nobody and then has its permissions changed, the file will still be visible until the next update. I would consider this a security issue. I mean, imagine the embarassment when someone realizes their porn collection is readable by nobody! It may take up to 24 hrs before the permissions change really take affect. ;) > > Just because Debian uses a default context of indexing with 'nobody' > > doesn't mean that the extra security checks are not relevant to the > > description. > I think it makes sense for the Debian description to be able to make > assumptions about the default and typical behavior of another common > Debian package. > > Perhaps the description could be extended to include the details: > > slocate - enhanced locate implementation, with permission > . > On Debian, findutil's locate database includes by default only files > visible to every user. On other systems, it may index every file, > and could disclose the existence of otherwise hidden files. On those > systems, slocate will not display to the invoking user those files > which are not other visible to them. In Debian, slocate provides > added functionality, by outputting not only files visible to > everybody, but also files visible to the invoking user. I do like the more informative description, I will update the package on the next point release. Kevin- -- Kevin Lindsay <[EMAIL PROTECTED]> PGP Key Id: 746C51F4 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
