From owner-freebsd-questions  Fri Feb 10 13:36:16 1995
Return-Path: questions-owner
Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id NAA06961 for questions-outgoing; Fri, 10 Feb 1995 13:36:16 -0800
Received: from kksys.skypoint.net (kksys.skypoint.net [199.86.32.5]) by freefall.cdrom.com (8.6.9/8.6.6) with SMTP id NAA06953 for <questions@FreeBSD.org>; Fri, 10 Feb 1995 13:36:13 -0800
Received: from ncbc by kksys.skypoint.net with uucp
	(Smail3.1.29.1 #2) id m0rd2sf-0002kvC; Fri, 10 Feb 95 15:27 CST
Message-Id: <m0rd2sf-0002kvC@kksys.skypoint.net>
Received: from agabus/smmcgee by ncbc.ncbc.mn.org
          (PMail+UDG PegWaf v0.31 93.10.18) id 6016 for questions@FreeBSD.org;
          Fri, 10 Feb 1995 15:21:54 CST 6 CDT
To: questions@FreeBSD.org
From: SMMCGEE@ncbc.ncbc.mn.org (Sean McGee)
Date:         Fri, 10 Feb 1995 15:21:47 
Subject:      Security Hole ?????
X-pmrqc:      1
Priority: normal
X-mailer:     WinPMail v1.0 (R2)
Organization: North Central Bible College, Minneapolis, MN
Sender: questions-owner@FreeBSD.org
Precedence: bulk

The following is a transcript of a telnet session on my 2.0R host:
I logged in as a user with absolutely no rights whatsoever, with an 
account that has an expired password under 'chpass'.

><< Opened connection to jasper.ncbc.edu >>
>
>  FreeBSD (jasper.ncbc.edu) (ttyp0)
>
>login: skpearso
>Password:
>Sorry -- your password has expired.
>Changing local password for root.
>New password:
>Retype new password:
>passwd: rebuilding the database...
>passwd: done
>Last login: Fri Feb 10 13:10:40 from h004
>Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
>        The Regents of the University of California.   All rights reserved.
>
>FreeBSD 2.0-RELEASE
>
>login: /bin/csh: Permission denied
>
><< Connection closed by other end. >>

As you can see, I was able to change root's password as a user with no 
rights when my account password had expired. 

Is this a hole or am I missing something???

-sean