Re: Thankyou.

From: Abe Fettig <abe fettig net>
To: Seth Nickell <snickell stanford edu>
Cc: Michael Meeks <michael ximian com>, bordoley msu edu, Johnathan Bailes <johnathan bailes esi baesystems com>, Damien Covey <djcovey softhome net>, nautilus-list <nautilus-list gnome org>
Subject: Re: Thankyou.
Date: 20 Aug 2002 09:18:45 -0400

If medusa isn't going to do text indexing, is there really a need for it
at all?  Couldn't nautilus just use locate/find like the current Gnome
search tool does?

Abe

On Mon, 2002-08-19 at 22:20, Seth Nickell wrote:
> On Mon, 2002-08-19 at 03:32, Michael Meeks wrote:
> > 
> > On Mon, 2002-08-19 at 03:36, Seth Nickell wrote:
> > > > 	The acute security issues have been solved then ?
> > > > 
> > > > 	Until then, it goes no-where near nautilus.
> > > 
> > > Remind me which acute security issues you are referring to?
> > 
> > 	I believe (but am in no way certain) that the reason Medusa was not
> > shipped (by Ximian (and others)) was that it compromised security;
> > whether by storing world readable archives - or by breaking unix
> > permissions / groups or whatever - I know not.
> > 
> > 	Presumably that is fixable, has it been fixed ?
> 
> Hi Michael,
> 
> Medusa was originally not included in GNOME 1.4 because it was leaking
> file descriptors like mad. At the same time it was observed that the
> technique that Medusa was using to allow users to enable or disable
> global indexing could be a security hole (it was using /com which
> contains truly shared read-write data between users). This has since
> been rectified by removing that feature from medusa (now only the
> sysadmin can turn indexing on or off). 
> 
> Medusa stores its indexing database as root only and all access is done
> through a search daemon (which verifies the connecting process' UID etc,
> and will only pass back information about files that the user would be
> authorized to view). I would suggest we disable text indexing which is
> currently still rather slow, and poses the greatest possible security
> risk even supposing somebody did manage to trick medusa-searchd or get
> access to the index file. Without text indexing the information
> protected by medusa is relatively benign even assuming somebody could
> bypass Medusa's security. With text indexing, if Medusa's were tricked
> it could return information from /etc/shadow or whatever. In any case,
> this would be a precautionary measure since theoretically medusa is
> secure in this area.
> 
> -Seth
> 
> -- 
> nautilus-list mailing list
> nautilus-list gnome org
> http://mail.gnome.org/mailman/listinfo/nautilus-list

Follow-Ups:
- Re: Thankyou.
  - From: snickell

References:
- Re: Thankyou.
  - From: bordoley
- Re: Thankyou.
  - From: Michael Meeks
- Re: Thankyou.
  - From: Seth Nickell
- Re: Thankyou.
  - From: Michael Meeks
- Re: Thankyou.
  - From: Seth Nickell

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]