http://bugzilla.opensuse.org/show_bug.cgi?id=902655 Bug ID: 902655 Summary: Access control in mlocate is not applied properly. Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: carlos.e.r@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Using mlocate, the user "nobody" can find files in a home directory to which he has no permission at all. Example: nobody@Telcontar:~> locate 20071006.0109 /home/cer/pine-crash.20071006.0109 /home_aux/cer/pine-crash.20071006.0109 nobody@Telcontar:~> l /home/cer/pine-crash.20071006.0109 ls: cannot access /home/cer/pine-crash.20071006.0109: Permission denied nobody@Telcontar:~> l /home/cer ls: cannot open directory /home/cer: Permission denied nobody@Telcontar:~> He should not be able to locate that file, but he can. This is due to the updatedb process in /etc/cron.daily/mlocate.cron not using the switch "--require-visibility yes". I have added that switch, and now (after running mlocate.cron once as root) I get a reasonable result: nobody@Telcontar:~> locate 20071006.0109 nobody@Telcontar:~> However, then my normal user can not call locate: cer@Telcontar:~> locate 20071006.0109 locate: can not open `/var/lib/mlocate/mlocate.db': Permission denied cer@Telcontar:~> because, I guess, he is not in the "locate" group. However, it is strange that "nobody" does not get that error. This is due to these strange permissions: Telcontar:~ # l /var/lib/mlocate/mlocate.db -rw-r----- 1 root nobody 54045911 Oct 26 22:19 /var/lib/mlocate/mlocate.db Telcontar:~ # It should be the "locate" group, not the "nobody" group. See also Bug 902588 and Bug 847801 -- You are receiving this mail because: You are on the CC list for the bug.