findutils for OpenSolaris [LSARC/2008/531 FastTrack timeout 08/26/2008]
Luis de Bethencourt
Luis.Debethencourt at sun.com
Thu Aug 21 03:52:35 PDT 2008
Stephen Hahn wrote:
> * Darren J Moffat <Darren.Moffat at Sun.COM> [2008-08-20 14:13]:
>
>> Luis de Bethencourt wrote:
>>
>>> locate is a clear security risk. For familiarity locate command should be
>>> an alias to slocate executable.
>>>
>> My understanding was that locate was perfectly secure providing it was not
>> installed setuid/setgid and that the datebase it looks at was not generated
>> by other user.
>>
>> The slocate case didn't provide an updatedb.conf file because this case was
>> likely to deliver one.
>>
>> glocate would be wrong according to the rules because there is no clashing
>> /usr/bin/locate at this time.
>>
>
> (I was expecting that /usr/bin/locate would be a symbolic link to
> slocate.)
>
It is going to be like that. :)
>
>> What do most Linux distributions that ship GNU findutils and slocate do?
>>
>
> I'd like an answer to this question as well. For instance, if locate
> is to be dropped from findutils, will findutils have a package
> dependency on slocate so that the installation of findutils always
> provides a locate implementation?
>
That's a very good idea. I will add the dependency in the spec.
Luis
> (As a comparison, the only component dropped from coreutils was
> su(1M). We even shipped shred, even though ZFS invalidates shred's
> assumptions about storage...)
>
> - Stephen
>
>
More information about the opensolaris-arc
mailing list