Date: Tue, 18 Dec 2012 22:13:10 +0100 From: Polytropon <freebsd@edvax.de> To: Walter Hurry <walterhurry@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: updatedb? Message-ID: <20121218221310.cbcb9add.freebsd@edvax.de> In-Reply-To: <kaqljd$gj4$1@ger.gmane.org> References: <kaqljd$gj4$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Dec 2012 21:01:33 +0000 (UTC), Walter Hurry wrote: > $ sudo /usr/libexec/locate.updatedb > >>> WARNING > >>> Executing updatedb as root. This WILL reveal all filenames > >>> on your machine to all login users, which is a security risk. > $ > > Why is it a "security risk"? Security through obscurity? Really? In this > day and age? > > Or am I missing something? Depends. In case you're using your system primarily as a single-user installation - no problem. If there are users who don't have trust in others (and this is _correct_), any call of "locate <something>" could reveal data stored on different user accounts, even if they cannot be accessed due to o-x for the individual home directories. Sometimes file names can already tell a lot. The locate.updatedb is usually run from the "nobody" user account when invoked automatically. This means that the directory restrictions can apply (e. g. user home directories cannot be searched when they have o-x attribute). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121218221310.cbcb9add.freebsd>