Bug ID 989493
Summary mlocate security: normal user must be added to group nobody; wrong man page info about --require-visibility FLAG
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.1
Hardware x86-64
OS openSUSE 42.1
Status NEW
Severity Major
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter studio@anchev.net
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

The man page of update db says (excerpt):

---------------
       -l, --require-visibility FLAG
              Set the ���require file visibility before reporting it��� flag in the
generated database to FLAG.


              If FLAG is 0 or no, or if the database file is readable by
"others" or it is not owned by nobody, locate(1) outputs the  database  entries
even if the user running locate(1) could not have read the directory necessary
to find out the file described by the database entry.


              If  FLAG is 1 or yes (the default), locate(1) checks the
permissions of parent directories of each entry before reporting it to the
invoking user.  To make the file existence truly hidden from other users, the
database group is set to nobody and the database permissions prohibit reading
the database by users using other means than locate(1), which is set-gid
nobody.


              Note that the visibility flag is checked only if the database is
owned by nobody and it is not readable by "others".
---------------

I made the following experiment:

- Run updatedb as root with no extra options (supposing by default it will use
flag 1 as per man page)
- Checked the permission of the db file (it was 644)
- Run "locate root" as normal user - I can see the contents of /root (which
means the man page is wrong and by default flag is 0)
- chown nobody: /var/lib/mlocate/mlocate.db
- Run "locate root" as normal user - again I can see the contents of /root
- chmod 640 /var/lib/mlocate/mlocate.db (as according to the documentation that
is required in order the flag 1 to be respected) - same result

Then I tried explicitly to run "updatedb -l 1" as root and I see that it
recreates the db file but this time the permissions are 640. So even when owned
by nobody a normal user cannot use the locate command:

> locate root
locate: can not open `/var/lib/mlocate/mlocate.db': Permission denied


After adding my user to group nobody I was able to run "locate root" without
seeing the files in "/root".

This whole thing means that:

1. The man page is not correct as the default is FLAG 0 (insecure), not 1
(secure)
2. One is forced to use the first approach (adding each user to group nobody).
I don't know what are the security implications of this but it doesn't sound as
something normal, right?
3. The script /etc/cron.daily/mlocate.cron needs to be modified somehow in
order to use explicitly FLAG 1 (is that possible?)

You are receiving this mail because: