What goes into default Debian?

Posted Feb 18, 2021 14:25 UTC (Thu) by Sesse (subscriber, #53779)
In reply to: What goes into default Debian? by eehakkin
Parent article: What goes into default Debian?

You can set anything so sensitive in PRUNEPATHS.

What goes into default Debian?

Posted Feb 18, 2021 21:35 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (4 responses)

Is that a system setting that only the administrator can set or can users add paths to it somehow?

What goes into default Debian?

Posted Feb 19, 2021 5:55 UTC (Fri) by flussence (guest, #85566) [Link] (3 responses)

The default for mlocate's PRUNENAMES contains "CVS", so just invent a clever backronym for that and put your sensitive files in a directory named such. If that's still not sufficient then you have someone with root access limiting themselves to making malicious edits to updatedb.conf, which is a bizarre threat model to care about.

What goes into default Debian?

Posted Feb 19, 2021 14:16 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (2 responses)

My question was a response to:

> You can set anything so sensitive in PRUNEPATHS.

I was asking if the "You" here needs root privileges to do that. I think anyone worrying about root should know that they should encrypt any files they wish to hide from them (assuming root isn't actively spying on in-use memory). I'm more thinking about someone writing code that ignored permission checks (say, a custom patched build of `locate`) when querying the database (I'm not sure if that is done on the `locate` side or somehow embedded into the database itself).

What goes into default Debian?

Posted Feb 19, 2021 16:52 UTC (Fri) by Sesse (subscriber, #53779) [Link] (1 responses)

You can custom-build your own locate without the access checks, but it needs to be installed sgid to get access to the locate database, so it wouldn't help you.

What goes into default Debian?

Posted Feb 19, 2021 22:53 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

Ah, that sounds reasonable enough. Thanks.