http://bugzilla.suse.com/show_bug.cgi?id=989493 Bug ID: 989493 Summary: mlocate security: normal user must be added to group nobody; wrong man page info about --require-visibility FLAG Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: x86-64 OS: openSUSE 42.1 Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: studio@anchev.net QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The man page of update db says (excerpt): --------------- -l, --require-visibility FLAG Set the “require file visibility before reporting it” flag in the generated database to FLAG. If FLAG is 0 or no, or if the database file is readable by "others" or it is not owned by nobody, locate(1) outputs the database entries even if the user running locate(1) could not have read the directory necessary to find out the file described by the database entry. If FLAG is 1 or yes (the default), locate(1) checks the permissions of parent directories of each entry before reporting it to the invoking user. To make the file existence truly hidden from other users, the database group is set to nobody and the database permissions prohibit reading the database by users using other means than locate(1), which is set-gid nobody. Note that the visibility flag is checked only if the database is owned by nobody and it is not readable by "others". --------------- I made the following experiment: - Run updatedb as root with no extra options (supposing by default it will use flag 1 as per man page) - Checked the permission of the db file (it was 644) - Run "locate root" as normal user - I can see the contents of /root (which means the man page is wrong and by default flag is 0) - chown nobody: /var/lib/mlocate/mlocate.db - Run "locate root" as normal user - again I can see the contents of /root - chmod 640 /var/lib/mlocate/mlocate.db (as according to the documentation that is required in order the flag 1 to be respected) - same result Then I tried explicitly to run "updatedb -l 1" as root and I see that it recreates the db file but this time the permissions are 640. So even when owned by nobody a normal user cannot use the locate command:

locate root locate: can not open `/var/lib/mlocate/mlocate.db': Permission denied

After adding my user to group nobody I was able to run "locate root" without seeing the files in "/root". This whole thing means that: 1. The man page is not correct as the default is FLAG 0 (insecure), not 1 (secure) 2. One is forced to use the first approach (adding each user to group nobody). I don't know what are the security implications of this but it doesn't sound as something normal, right? 3. The script /etc/cron.daily/mlocate.cron needs to be modified somehow in order to use explicitly FLAG 1 (is that possible?) -- You are receiving this mail because: You are on the CC list for the bug.