locate knows about files on my encrypted partition

Bug #113312 reported by Thomas Zander on 2007-05-08
Affects Status Importance Assigned to Milestone
slocate (Ubuntu)

Bug Description

I was surprised to see that using /usr/bin/locate I got results from a partition that is only readable by my user and actually is an encrypted partition (openLuks).

I was under the impression that the updateDb application would run as 'nobody' which means it would not read my homedir if I would make it read only for my user. Which is what I did with my homedir as well as the /mnt/private partition. (its got a chmod 700 1000.1000)

I mention the encryption here since I consider it a security vulnerability that a full index of an encrypted partition is stored on an unencrypted partition.

Kees Cook (kees) wrote :

Partitions that should not be indexed can be added to /etc/locatedb.conf's PRUNEPATHS variable. In the future, it would be nice to have some kind of PRUNECRYPT=1 setting as well.

markor (markoresko) wrote :

I confirm that reasoning about this bug is right. Index if encrypted partitions should be encrypted itself.
Thomas, does this indexing and putting index to unencrypted, also happens when default
ubuntu default encryption is used?
Since /etc/locatedb.conf should be considered if some non-standard encryption method is used.
But if standard encryption method is used, then this bug should be considered.

Phillip Susi (psusi) wrote :

This package has been removed from Ubuntu. Closing all related bugs.

Changed in slocate (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers