 |
 |
 |
|
 |
 |
Don't have an account yet? Sign up as a New User
|
|
 |
 |
 |
|
 |
 |
STORIES No new stories
LINKS last 2 wks No recent new links
|
|
|
 |
 |
 |
 |
Locate running as root? |
|
Monday, November 19 2007 @ 03:49 PM EST Contributed by: Admin
UPDATE: I just tested this on my old 10.3 Mac... and the same thing happens! How long has this been the case? I could have sworn I've used 'locate' many times in the past and not seen other users' files. Hmm...
(OK, now onto the original post.)
One of the first things I noticed in Mac OS X 10.5 Leopard seems to be a bad change and I can't imagine why Apple made it. 'Locate' has worked fine since 10.0 came out over six years ago. (UPDATE part 2: seems I'm wrong--testing 'locate' on a 10.3 box shows the same insecure behavior--so I guess the only new thing is that they show the warning. This is so, so weird--I swear it didn't used to do that. I thought OS X just silently used 'slocate' like most Linux distros do.) Now that I've updated to 10.5, when I say
sudo /usr/libexec/locate.updatedb it tells me
>>> WARNING
>>> Executing updatedb as root. This WILL reveal all filenames
>>> on your machine to all login users, which is a security risk.
Sure enough, if I 'su -' to another user, create a file with a unique name, switch back to me, and 'locate' that file, it pops right up. Why?
|
|
read more (84 words) 0 comments |
Post a comment [ Views: 2877 ] |
|
|
 |
 |
 |
 |
|