Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate

• Previous message: Theo Van Dinter: "Re: Oracle 8.1.5 dbnsmp vulnerability"
• In reply to: Jeremy C. Reed: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Next in thread: Jeffrey Denton: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Next in thread: Olaf Bohlen: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	In slackware, it is constantly owned by nobody.  However, even if
it is only owned for nobody for a certain period of time, it just creates
a race condition and is still "a problem."

>
> This don't say whether the locate database is always owned by nobody or
> just temporary. (I am not at a slackware box.) I am just curious, because
> some operating systems first create the database as nobody and then
> immediately change the ownership (via a weekly cron job for example).
>
> If it is just temporary, then I assume an exploit must be timed.
>
> But, if it always owned by nobody, then that is a problem. Nothing should
> really be owned by "nobody" -- isn't that the purpose of the unprivileged
> user?

• Next message: Cisco_Systems_Product_Security_Incident_Response_Teamat_private: "Cisco Security Advisory: Vulnerabilities in Cisco SN 5420 Storage Routers"
• Previous message: Theo Van Dinter: "Re: Oracle 8.1.5 dbnsmp vulnerability"
• In reply to: Jeremy C. Reed: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Next in thread: Jeffrey Denton: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Next in thread: Olaf Bohlen: "Re: Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:06:04 PDT