* Darren J Moffat <Darren.Moffat at Sun.COM> [2008-08-20 14:13]: > Luis de Bethencourt wrote: >> locate is a clear security risk. For familiarity locate command should be >> an alias to slocate executable. > > My understanding was that locate was perfectly secure providing it was not > installed setuid/setgid and that the datebase it looks at was not generated > by other user. > > The slocate case didn't provide an updatedb.conf file because this case was > likely to deliver one. > > glocate would be wrong according to the rules because there is no clashing > /usr/bin/locate at this time.
(I was expecting that /usr/bin/locate would be a symbolic link to slocate.) > What do most Linux distributions that ship GNU findutils and slocate do? I'd like an answer to this question as well. For instance, if locate is to be dropped from findutils, will findutils have a package dependency on slocate so that the installation of findutils always provides a locate implementation? (As a comparison, the only component dropped from coreutils was su(1M). We even shipped shred, even though ZFS invalidates shred's assumptions about storage...) - Stephen -- sch at sun.com http://blogs.sun.com/sch/
