From owner-freebsd-bugs Fri Feb 23 1:40: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2FCA237B4EC for ; Fri, 23 Feb 2001 01:40:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1N9e2u48796; Fri, 23 Feb 2001 01:40:02 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9034F37B401 for ; Fri, 23 Feb 2001 01:31:12 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1N9VCF47928; Fri, 23 Feb 2001 01:31:12 -0800 (PST) (envelope-from nobody) Message-Id: <200102230931.f1N9VCF47928@freefall.freebsd.org> Date: Fri, 23 Feb 2001 01:31:12 -0800 (PST) From: davidx@viasoft.com.cn To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/25301: default install allows other user visit directory /root Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25301 >Category: misc >Synopsis: default install allows other user visit directory /root >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 23 01:40:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: David Xu >Release: FreeBSD-4.2 STABLE >Organization: viasoft >Environment: FreeBSD davidbsd.viasoft.com.cn 4.2-STABLE FreeBSD 4.2-STABLE #5: Thu Feb 22 11: 39:34 CST 2001 root@davidbsd.viasoft.com.cn:/usr/src/sys/compile/xu i386 >Description: FreeBSD 4.2 default install can let other users visit directory /root. I see it as a security risk. when I install smbfs from posts and put smbfs passwd config file in /root, I found other users can steal my samba mount password, then I found /root can be visited by other users. a sad day. the thing never happens in Redhat Linux I ever used, Redhat Linux default does not allow other user visit /root. I think FreeBSD should do it too. root is not a user, but a God, he has something must not let people know. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message