Ubuntu
slocate package

locate knows about files on my encrypted partition

Bug #113312 reported by Thomas Zander
250
Affects Status Importance Assigned to Milestone
slocate (Ubuntu)
Invalid
Wishlist
Unassigned

Bug Description

I was surprised to see that using /usr/bin/locate I got results from a partition that is only readable by my user and actually is an encrypted partition (openLuks).

I was under the impression that the updateDb application would run as 'nobody' which means it would not read my homedir if I would make it read only for my user. Which is what I did with my homedir as well as the /mnt/private partition. (its got a chmod 700 1000.1000)

I mention the encryption here since I consider it a security vulnerability that a full index of an encrypted partition is stored on an unencrypted partition.

Revision history for this message
Kees Cook (kees) wrote :

Partitions that should not be indexed can be added to /etc/locatedb.conf's PRUNEPATHS variable. In the future, it would be nice to have some kind of PRUNECRYPT=1 setting as well.

Revision history for this message
markor (markoresko) wrote :

I confirm that reasoning about this bug is right. Index if encrypted partitions should be encrypted itself.
Thomas, does this indexing and putting index to unencrypted, also happens when default
ubuntu default encryption is used?
Since /etc/locatedb.conf should be considered if some non-standard encryption method is used.
But if standard encryption method is used, then this bug should be considered.

Revision history for this message
Phillip Susi (psusi) wrote :

This package has been removed from Ubuntu. Closing all related bugs.

Changed in slocate (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.