Re: Thankyou.

If medusa isn't going to do text indexing, is there really a need for it
at all?  Couldn't nautilus just use locate/find like the current Gnome
search tool does?


On Mon, 2002-08-19 at 22:20, Seth Nickell wrote:
> On Mon, 2002-08-19 at 03:32, Michael Meeks wrote:
> > 
> > On Mon, 2002-08-19 at 03:36, Seth Nickell wrote:
> > > > 	The acute security issues have been solved then ?
> > > > 
> > > > 	Until then, it goes no-where near nautilus.
> > > 
> > > Remind me which acute security issues you are referring to?
> > 
> > 	I believe (but am in no way certain) that the reason Medusa was not
> > shipped (by Ximian (and others)) was that it compromised security;
> > whether by storing world readable archives - or by breaking unix
> > permissions / groups or whatever - I know not.
> > 
> > 	Presumably that is fixable, has it been fixed ?
> Hi Michael,
> Medusa was originally not included in GNOME 1.4 because it was leaking
> file descriptors like mad. At the same time it was observed that the
> technique that Medusa was using to allow users to enable or disable
> global indexing could be a security hole (it was using /com which
> contains truly shared read-write data between users). This has since
> been rectified by removing that feature from medusa (now only the
> sysadmin can turn indexing on or off). 
> Medusa stores its indexing database as root only and all access is done
> through a search daemon (which verifies the connecting process' UID etc,
> and will only pass back information about files that the user would be
> authorized to view). I would suggest we disable text indexing which is
> currently still rather slow, and poses the greatest possible security
> risk even supposing somebody did manage to trick medusa-searchd or get
> access to the index file. Without text indexing the information
> protected by medusa is relatively benign even assuming somebody could
> bypass Medusa's security. With text indexing, if Medusa's were tricked
> it could return information from /etc/shadow or whatever. In any case,
> this would be a precautionary measure since theoretically medusa is
> secure in this area.
> -Seth
> -- 
> nautilus-list mailing list
> nautilus-list gnome org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]