Bug ID | 902655 |
---|---|
Summary | Access control in mlocate is not applied properly. |
Classification | openSUSE |
Product | openSUSE 13.1 |
Version | Final |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Basesystem |
Assignee | bnc-team-screening@forge.provo.novell.com |
Reporter | carlos.e.r@opensuse.org |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Using mlocate, the user "nobody" can find files in a home directory to which he has no permission at all. Example: nobody@Telcontar:~> locate 20071006.0109 /home/cer/pine-crash.20071006.0109 /home_aux/cer/pine-crash.20071006.0109 nobody@Telcontar:~> l /home/cer/pine-crash.20071006.0109 ls: cannot access /home/cer/pine-crash.20071006.0109: Permission denied nobody@Telcontar:~> l /home/cer ls: cannot open directory /home/cer: Permission denied nobody@Telcontar:~> He should not be able to locate that file, but he can. This is due to the updatedb process in /etc/cron.daily/mlocate.cron not using the switch "--require-visibility yes". I have added that switch, and now (after running mlocate.cron once as root) I get a reasonable result: nobody@Telcontar:~> locate 20071006.0109 nobody@Telcontar:~> However, then my normal user can not call locate: cer@Telcontar:~> locate 20071006.0109 locate: can not open `/var/lib/mlocate/mlocate.db': Permission denied cer@Telcontar:~> because, I guess, he is not in the "locate" group. However, it is strange that "nobody" does not get that error. This is due to these strange permissions: Telcontar:~ # l /var/lib/mlocate/mlocate.db -rw-r----- 1 root nobody 54045911 Oct 26 22:19 /var/lib/mlocate/mlocate.db Telcontar:~ # It should be the "locate" group, not the "nobody" group. See also Bug 902588 and Bug 847801