tag 359793 patch
thanks
On Wed, Apr 12, 2006 at 09:45:03AM -0700, Kevin Lindsay wrote:
> On Tue, Mar 28, 2006 at 07:04:13PM -0500, Justin Pryzby wrote:
>
> > On Tue, Mar 28, 2006 at 02:58:56PM -0800, Kevin Lindsay wrote:
> > > Well, if you index your filesystem using GNU Locate as root, the
> > > location to every file will be available to all users. Isn't it
> > > added security that Secure Locate will preform proper access checks
> > > to ensure the user is able to see the file location?
> > On other systems only.
>
> No, you can configure GNU Locate to index as root. Also, if a file is
> indexed as nobody and then has its permissions changed, the file will
> still be visible until the next update. I would consider this a security
> issue. I mean, imagine the embarassment when someone realizes their
> porn collection is readable by nobody! It may take up to 24 hrs before
> the permissions change really take affect. ;)
>
> > > Just because Debian uses a default context of indexing with 'nobody'
> > > doesn't mean that the extra security checks are not relevant to the
> > > description.
> > I think it makes sense for the Debian description to be able to make
> > assumptions about the default and typical behavior of another common
> > Debian package.
> >
> > Perhaps the description could be extended to include the details:
> >
> > slocate - enhanced locate implementation, with permission
> > .
> > On Debian, findutil's locate database includes by default only files
> > visible to every user. On other systems, it may index every file,
> > and could disclose the existence of otherwise hidden files. On those
> > systems, slocate will not display to the invoking user those files
> > which are not other visible to them. In Debian, slocate provides
^^^^
wise
> > added functionality, by outputting not only files visible to
> > everybody, but also files visible to the invoking user.
>
> I do like the more informative description, I will update the package
> on the next point release.
Great! Thanks for considering.
Justin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
