Re: updatedb?
On 12/18/12 23:04, C. P. Ghost wrote: On Tue, Dec 18, 2012 at 10:01 PM, Walter Hurry wrote: $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. $ Why is it a "security risk"? Security through obscurity? Really? In this day and age? Or am I missing something? Suppose someone managed to start a shell under your account and is seeking to escalate privileges, i.e. to become root. If he can look at a full unrestricted locatedb, he may pay particular attention to config files, log files etc... that may otherwise be hidden from sight. Just by looking at this, he may infer that a particular software package at a particular revision is actually running on that host and is configured in a particular way. E.g., he may see that logfiles accumulate in /var/log and are cleaned only once a week. It would be then easy to induce that program to create more log files, thus denying service to other programs that need /var as well. This, in turn, could result in real exploits of those other programs... Sure, most of this is already world-visible and in the regular locatedb because we're so liberal with the rights of /var/db/pkg, /var/log, /etc, ... but some admins prefer to hide particularly sensitive programs, their configs, logs etc., in a non-world-readable directory hierarchy. Running locate.updatedb(8) with root privileges would defeat that strategy. That's why it is discouraged. Of course, this is even more necessary when you have regular users on that machine that don't necessarily trust each others. They wouldn't like their home dirs to be world-readable by default by everyone else. Maybe they won't object (and set /home/$USER to -rwxr-xr-x instead of -rwxr-x--- or -rwx--) but that's their call, not the sysadmin's. -cpghost. Sorry, cpghost, I missed the point. Clear explanation. Should such programs be modified so there is never a change to being run as root? I guess there are environments where measures like these are taken, no warning, just refuse to run as root? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On 12/18/12 23:44, RW wrote: On Tue, 18 Dec 2012 22:53:29 +0100 Polytropon wrote: On Tue, 18 Dec 2012 21:32:50 +, RW wrote: On Tue, 18 Dec 2012 21:01:33 + (UTC) Walter Hurry wrote: $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. $ Why is it a "security risk"? Security through obscurity? Really? In this day and age? Or am I missing something? If permissions have been set to prevent other users reading filenames then obviously leaking file names is security issue. There are no "leaking file names", There is from the perspective of an ordinary user that's configured directories under ~ to be confidential. as by command, the tool does what it is requested to: to not obey the restrictions that apply in its _normal_ use and list _all_ file names instead. Obviously. But the warning is intended for people that haven't thought through the consequences of what they are doing. Agree. It is good to be there. Should be clear to Walter I guess. It is not security through obscurity, it is security by permissions and controls, and root can circumvent these and expose potential security risks by information to others or the world, thus the warning when running it as root. Thanks. On Tue, 18 Dec 2012 22:49:43 +0100 Bas Smeelen wrote: Yes. But as stated before it defaults to run as user nobody. Line 26 /etc/periodic/weekly/310.locate echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 This is true but not very relevant. It runs as nobody from the periodic script, but the warning comes from locate.updatedb itself, which may be run independently of 310.locate. If someone runs it as root it can be, as everything being run as root, a security issue. Not really, mostly when things are run as root there is an additional risk. Very few things do the wrong thing simply as a consequence of running as root so it warrants a warning. Fully agree. Root can be a liability though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, 18 Dec 2012 22:53:29 +0100 Polytropon wrote: > On Tue, 18 Dec 2012 21:32:50 +, RW wrote: > > On Tue, 18 Dec 2012 21:01:33 + (UTC) > > Walter Hurry wrote: > > > > > $ sudo /usr/libexec/locate.updatedb > > > >>> WARNING > > > >>> Executing updatedb as root. This WILL reveal all filenames > > > >>> on your machine to all login users, which is a security risk. > > > $ > > > > > > Why is it a "security risk"? Security through obscurity? Really? > > > In this day and age? > > > > > > Or am I missing something? > > > > If permissions have been set to prevent other users reading > > filenames then obviously leaking file names is security issue. > > There are no "leaking file names", There is from the perspective of an ordinary user that's configured directories under ~ to be confidential. > as by command, the tool does > what it is requested to: to not obey the restrictions that apply > in its _normal_ use and list _all_ file names instead. Obviously. But the warning is intended for people that haven't thought through the consequences of what they are doing. On Tue, 18 Dec 2012 22:49:43 +0100 Bas Smeelen wrote: > Yes. But as stated before it defaults to run as user nobody. > > Line 26 /etc/periodic/weekly/310.locate > echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 This is true but not very relevant. It runs as nobody from the periodic script, but the warning comes from locate.updatedb itself, which may be run independently of 310.locate. > If someone runs it as root it can be, as everything being run as > root, a security issue. Not really, mostly when things are run as root there is an additional risk. Very few things do the wrong thing simply as a consequence of running as root so it warrants a warning. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On 12/18/12 23:04, C. P. Ghost wrote: On Tue, Dec 18, 2012 at 10:01 PM, Walter Hurry wrote: $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. $ Why is it a "security risk"? Security through obscurity? Really? In this day and age? Or am I missing something? Suppose someone managed to start a shell under your account and is seeking to escalate privileges, i.e. to become root. If he can look at a full unrestricted locatedb, he may pay particular attention to config files, log files etc... that may otherwise be hidden from sight. locate.updatebd is _not_ run as root by default. See Polytropon's and other replies. If root runs it, it is root's responsibility that others can obtain all filenames on the system. Just by looking at this, he may infer that a particular software package at a particular revision is actually running on that host and is configured in a particular way. E.g., he may see that logfiles accumulate in /var/log and are cleaned only once a week. It would be then easy to induce that program to create more log files, thus denying service to other programs that need /var as well. This, in turn, could result in real exploits of those other programs... Sure, most of this is already world-visible and in the regular locatedb because we're so liberal with the rights of /var/db/pkg, /var/log, /etc, ... but some admins prefer to hide particularly sensitive programs, their configs, logs etc., in a non-world-readable directory hierarchy. Running locate.updatedb(8) with root privileges would defeat that strategy. That's why it is discouraged. Of course, this is even more necessary when you have regular users on that machine that don't necessarily trust each others. They wouldn't like their home dirs to be world-readable by default by everyone else. Maybe they won't object (and set /home/$USER to -rwxr-xr-x instead of -rwxr-x--- or -rwx--) but that's their call, not the sysadmin's. -cpghost. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, Dec 18, 2012 at 10:01 PM, Walter Hurry wrote: > $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. > $ > > Why is it a "security risk"? Security through obscurity? Really? In this > day and age? > > Or am I missing something? Suppose someone managed to start a shell under your account and is seeking to escalate privileges, i.e. to become root. If he can look at a full unrestricted locatedb, he may pay particular attention to config files, log files etc... that may otherwise be hidden from sight. Just by looking at this, he may infer that a particular software package at a particular revision is actually running on that host and is configured in a particular way. E.g., he may see that logfiles accumulate in /var/log and are cleaned only once a week. It would be then easy to induce that program to create more log files, thus denying service to other programs that need /var as well. This, in turn, could result in real exploits of those other programs... Sure, most of this is already world-visible and in the regular locatedb because we're so liberal with the rights of /var/db/pkg, /var/log, /etc, ... but some admins prefer to hide particularly sensitive programs, their configs, logs etc., in a non-world-readable directory hierarchy. Running locate.updatedb(8) with root privileges would defeat that strategy. That's why it is discouraged. Of course, this is even more necessary when you have regular users on that machine that don't necessarily trust each others. They wouldn't like their home dirs to be world-readable by default by everyone else. Maybe they won't object (and set /home/$USER to -rwxr-xr-x instead of -rwxr-x--- or -rwx--) but that's their call, not the sysadmin's. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, 18 Dec 2012 21:32:50 +, RW wrote: > On Tue, 18 Dec 2012 21:01:33 + (UTC) > Walter Hurry wrote: > > > $ sudo /usr/libexec/locate.updatedb > > >>> WARNING > > >>> Executing updatedb as root. This WILL reveal all filenames > > >>> on your machine to all login users, which is a security risk. > > $ > > > > Why is it a "security risk"? Security through obscurity? Really? In > > this day and age? > > > > Or am I missing something? > > If permissions have been set to prevent other users reading filenames > then obviously leaking file names is security issue. There are no "leaking file names", as by command, the tool does what it is requested to: to not obey the restrictions that apply in its _normal_ use and list _all_ file names instead. See /etc/periodic/weekly/310.locate for example: The default call of locate.updatedb is this: echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 The program (script) will additionally honor settings in the /etc/locate.rc file. So if the questioned use of "sudo /usr/libexec/locate.updatedb" to run it as root (with _all_ permissions!) leads to the intended behaviour, i. e. list _all_ files on the system, that isn't actually a leak, I'd say. (Terminology: A leak would appear if you'd run locate.updatedb with the "nobody" user, and still file names from inside a o-rwx directory would appear!) I really like the analogy provided by Devin Teske in his reply: When you run updatedb as root, it traverses all directories even those that you may have posted a big "keep out" sign on (aforementioned "chmod"). Then every non-privileged user on the system can list the contents of your secret hideout with the "keep out" sign posted on it. You might have well built that house out of glass (they can't read the contents of the books on your bookshelf, but they can see the covers and know what you've got stocked on the shelves). Again: If that's intended, locate.updatedb will act as instructed. Oh behold the unlimited power of root. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On 12/18/12 22:32, RW wrote: On Tue, 18 Dec 2012 21:01:33 + (UTC) Walter Hurry wrote: $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. $ Why is it a "security risk"? Security through obscurity? Really? In this day and age? Or am I missing something? If permissions have been set to prevent other users reading filenames then obviously leaking file names is security issue. Yes. But as stated before it defaults to run as user nobody. Line 26 /etc/periodic/weekly/310.locate echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 No issue there. If someone runs it as root it can be, as everything being run as root, a security issue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, 18 Dec 2012 21:01:33 + (UTC) Walter Hurry wrote: > $ sudo /usr/libexec/locate.updatedb > >>> WARNING > >>> Executing updatedb as root. This WILL reveal all filenames > >>> on your machine to all login users, which is a security risk. > $ > > Why is it a "security risk"? Security through obscurity? Really? In > this day and age? > > Or am I missing something? If permissions have been set to prevent other users reading filenames then obviously leaking file names is security issue. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, Dec 18, 2012 at 3:01 PM, Walter Hurry wrote: > Security through obscurity? Really? In this > day and age? > My password is obscured from you. I consider that more secure regardless of what any other opinion is. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Tue, 18 Dec 2012 21:01:33 + (UTC), Walter Hurry wrote: > $ sudo /usr/libexec/locate.updatedb > >>> WARNING > >>> Executing updatedb as root. This WILL reveal all filenames > >>> on your machine to all login users, which is a security risk. > $ > > Why is it a "security risk"? Security through obscurity? Really? In this > day and age? > > Or am I missing something? Depends. In case you're using your system primarily as a single-user installation - no problem. If there are users who don't have trust in others (and this is _correct_), any call of "locate " could reveal data stored on different user accounts, even if they cannot be accessed due to o-x for the individual home directories. Sometimes file names can already tell a lot. The locate.updatedb is usually run from the "nobody" user account when invoked automatically. This means that the directory restrictions can apply (e. g. user home directories cannot be searched when they have o-x attribute). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: updatedb?
On Dec 18, 2012, at 1:01 PM, Walter Hurry wrote: > $ sudo /usr/libexec/locate.updatedb WARNING Executing updatedb as root. This WILL reveal all filenames on your machine to all login users, which is a security risk. > $ > > Why is it a "security risk"? Security through obscurity? Really? In this > day and age? > > Or am I missing something? You're missing the fact that updatedb essentially makes a list of every file on your disk (and that this list is able to be queried by anybody regardless of permissions or group membership). The best and most notable example of this constituting a "security risk" is if you've prevented access to a directory… root's home-directory (/root) for example. Illustratively, this would be if you did "chmod go-wrx somedir" so that only the owner could see inside it. When you run updatedb as root, it traverses all directories even those that you may have posted a big "keep out" sign on (aforementioned "chmod"). Then every non-privileged user on the system can list the contents of your secret hideout with the "keep out" sign posted on it. You might have well built that house out of glass (they can't read the contents of the books on your bookshelf, but they can see the covers and know what you've got stocked on the shelves). If this doesn't concern you, (and there's plenty of reasons to ignore this warning -- say, if you operate in a closed environment where trust isn't an issue and you value the ability to find any file on the system at any time) -- then proceed my friend, … proceed. Otherwise, it's best to think about running updatedb as a non-privileged user that (a) can't use built-in super-user privileges to bypass security settings when enumerating the UNIX filesystems you've configured in locate.conf(5) (optional -- by default it acts sensibly and ignores what you'd expect it to). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"