Hi, >This don't say whether the locate database is always owned by nobody or >just temporary. (I am not at a slackware box.) I am just curious, because This is on my Slackware 8 box: freyr:/var/spool/locate# ls -l locatedb -rw-r--r-- 1 nobody nogroup 1664857 Aug 1 04:42 locatedb And this remains as nobody/nogroup. But: no user (except root) should be able to gain access to nobody. so this is not a security hole imho. Also if you run apache-cgi's as user, apache chowns to the owner of the cgi before executing it: -- snip -- #!/bin/sh echo "Content-type: text/plain" echo echo -n "Running cgi as: " id echo "Running httpd as: " ps -ef | grep httpd | head -1 -- snip -- reports when executed by apache: Running cgi as: uid=4109(dackel) gid=80(www) groups=80(www) Running httpd as: www 24330 23441 0 00:42 ? 00:00:27 /usr/local/apache/bin/httpd -DSS so, i don't see a problem here. Cheers -- -- Olaf Bohlen --------------------- cell +49-172-4561817 -- -- Maxfeldstrasse 16 --- mail <firefox@is.sun-powered.de> -- -- 90409 Nuernberg ------ http http://www.sun-powered.de/ -- -- Germany ---------------------- irc firefox01 (IRC-Net) -- -- ------------------------------------------------------ --
