Welcome to apple.newbox.org Sunday, April 30 2017 @ 01:08 AM EDT  
Links |  Past Polls |  Advanced Search |   
Topics
Home
Applications (8/0)
Classic (0/0)
Hardware (12/0)
Miscellaneous (6/0)
Networking/Serving (3/0)
Mac OS X (13/0)
Terminal/CLI (3/0)
iPhone (3/0)
General News (3/0)
GeekLog (1/0)

User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User

What's New
STORIES
No new stories

LINKS last 2 wks
No recent new links


Older Stories
Saturday 06-Mar
  • iPad thoughts (0)

  • Friday 19-Feb
  • A Couple Small Time Machine Notes (0)

  • Saturday 26-Sep
  • Details about iPhone backups and restore (0)

  • Monday 29-Jun
  • Camera updates in iPhone OS 3.0 (0)

  • Saturday 30-May
  • Mac mini disassembly notes (0)

  • Friday 15-May
  • Notes about Windows 7 on a 10.4 Mac with Virtual Box (0)

  • Monday 02-Mar
  • Safari 4 (Beta) notes (0)

  • Saturday 17-Jan
  • Random software notes (0)

  • Wednesday 17-Dec
  • Quicksilver vs. Spotlight (0)
  • 10.5's Dock still sucks (0)


  • Locate running as root?    
    Monday, November 19 2007 @ 03:49 PM EST
    Contributed by: Admin

    Mac OS XUPDATE: I just tested this on my old 10.3 Mac... and the same thing happens! How long has this been the case? I could have sworn I've used 'locate' many times in the past and not seen other users' files. Hmm...

    (OK, now onto the original post.)

    One of the first things I noticed in Mac OS X 10.5 Leopard seems to be a bad change and I can't imagine why Apple made it. 'Locate' has worked fine since 10.0 came out over six years ago. (UPDATE part 2: seems I'm wrong--testing 'locate' on a 10.3 box shows the same insecure behavior--so I guess the only new thing is that they show the warning. This is so, so weird--I swear it didn't used to do that. I thought OS X just silently used 'slocate' like most Linux distros do.) Now that I've updated to 10.5, when I say
    sudo /usr/libexec/locate.updatedb
    it tells me
    >>> WARNING
    >>> Executing updatedb as root. This WILL reveal all filenames
    >>> on your machine to all login users, which is a security risk.


    Sure enough, if I 'su -' to another user, create a file with a unique name, switch back to me, and 'locate' that file, it pops right up. Why?

    An example:

    omg5:~ brian$ locate abc123
    omg5:~ brian$ su - admin
    Password:
    omg5:~ admin$ touch Desktop/abc123
    (Note: I put it in 'Desktop' because that folder has '700' permissions.)
    omg5:~ admin$ logout
    omg5:~ brian$ sudo /usr/libexec/locate.updatedb
    Password:
    >>> WARNING
    >>> Executing updatedb as root. This WILL reveal all filenames
    >>> on your machine to all login users, which is a security risk.
    omg5:~ brian$ locate abc123
    /Users/admin/abc123
    omg5:~ brian$


    Note: this does not mean other users can read all these files, it just means that they can see that they exist, which is still a major security no-no.

      [ Views: 2138 ]  


    Locate running as root? | 0 comments | Create New Account
    The following comments are owned by whomever posted them. This site is not responsible for what they say.
    What's Related

    Story Options
  • Mail Story to a Friend
  • Printable Story Format


  • Created this page in 0.30 seconds


     Copyright © 2017 apple.newbox.org
     All trademarks and copyrights on this page are owned by their respective owners.

    Powered By