Received: (at submit) by bugs.debian.org; 4 Jul 1999 12:07:50 +0000
Received: (qmail 12369 invoked from network); 4 Jul 1999 12:07:49 -0000
Received: from hq.yok.utu.fi (qmailr@130.232.128.220)
  by master.debian.org with SMTP; 4 Jul 1999 12:07:49 -0000
Received: (qmail 11327 invoked by uid 1000); 4 Jul 1999 12:07:45 -0000
Date: 4 Jul 1999 12:07:45 -0000
Message-ID: <19990704120745.11326.qmail@hq.yok.utu.fi>
From: tv@debian.org
Subject: findutils: updatedb should run sort etc as non-root
To: submit@bugs.debian.org
X-Mailer: bug 3.2.0

Package: findutils
Version: 4.1-34
Severity: wishlist

[0 tv@hq ~]$ grep --before-context=20 '} | sort -f' /usr/bin/updatedb
  if [ "$LOCALUSER" != "" ]; then
    su $LOCALUSER -c \
    "$find $SEARCHPATHS \
     \\( $prunefs_exp \
     -type d -regex '$PRUNEREGEX' \\) -prune -o -print"
  else
    $find $SEARCHPATHS \
     \( $prunefs_exp \
     -type d -regex "$PRUNEREGEX" \) -prune -o -print
  fi
fi
if test -n "$NETPATHS"; then
  if [ "`whoami`" = root ]; then
    su $NETUSER -c \
     "$find $NETPATHS \\( -type d -regex '$PRUNEREGEX' -prune \\) -o -print"
  else
    $find $NETPATHS \( -type d -regex "$PRUNEREGEX" -prune \) -o -print
  fi
fi
} | sort -f | $frcode > $LOCATE_DB.n
[0 tv@hq ~]$ 

        updatedb should avoid running as root; sort has historically
        had /tmp races, and other danger lurk there too. 
        There is no reason not to su to $LOCALUSER for sort and friends
        also, in addition to just find.

-- System Information
Debian Release: potato
Kernel Version: Linux hq 2.2.9 #1 Thu May 20 07:43:14 EEST 1999 i686 unknown

Versions of the packages findutils depends on:
ii  libc6           2.1.1-10       GNU C Library: Shared libraries and timezone