Bug ID 902655
Summary Access control in mlocate is not applied properly.
Classification openSUSE
Product openSUSE 13.1
Version Final
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee bnc-team-screening@forge.provo.novell.com
Reporter carlos.e.r@opensuse.org
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Using mlocate, the user "nobody" can find files in a home directory to which he
has no permission at all. Example:

nobody@Telcontar:~> locate 20071006.0109
/home/cer/pine-crash.20071006.0109
/home_aux/cer/pine-crash.20071006.0109
nobody@Telcontar:~> l /home/cer/pine-crash.20071006.0109
ls: cannot access /home/cer/pine-crash.20071006.0109: Permission denied
nobody@Telcontar:~> l /home/cer
ls: cannot open directory /home/cer: Permission denied
nobody@Telcontar:~>


He should not be able to locate that file, but he can. This is due to the
updatedb process in /etc/cron.daily/mlocate.cron not using the switch
"--require-visibility yes".

I have added that switch, and now (after running mlocate.cron once as root) I
get a reasonable result:

nobody@Telcontar:~> locate 20071006.0109
nobody@Telcontar:~> 

However, then my normal user can not call locate:

cer@Telcontar:~> locate 20071006.0109
locate: can not open `/var/lib/mlocate/mlocate.db': Permission denied
cer@Telcontar:~>

because, I guess, he is not in the "locate" group. However, it is strange that
"nobody" does not get that error. This is due to these strange permissions:

Telcontar:~ # l /var/lib/mlocate/mlocate.db
-rw-r----- 1 root nobody 54045911 Oct 26 22:19 /var/lib/mlocate/mlocate.db
Telcontar:~ # 

It should be the "locate" group, not the "nobody" group.



See also Bug 902588 and Bug 847801

You are receiving this mail because: