From owner-freebsd-bugs  Fri Feb 23  1:40: 7 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2FCA237B4EC
	for <freebsd-bugs@hub.freebsd.org>; Fri, 23 Feb 2001 01:40:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1N9e2u48796;
	Fri, 23 Feb 2001 01:40:02 -0800 (PST)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9034F37B401
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 23 Feb 2001 01:31:12 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1N9VCF47928;
	Fri, 23 Feb 2001 01:31:12 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200102230931.f1N9VCF47928@freefall.freebsd.org>
Date: Fri, 23 Feb 2001 01:31:12 -0800 (PST)
From: davidx@viasoft.com.cn
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: misc/25301: default install allows other user visit directory /root
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         25301
>Category:       misc
>Synopsis:       default install allows other user visit directory /root
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 23 01:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     David Xu
>Release:        FreeBSD-4.2 STABLE
>Organization:
viasoft
>Environment:
FreeBSD davidbsd.viasoft.com.cn 4.2-STABLE FreeBSD 4.2-STABLE #5: Thu Feb 22 11:
39:34 CST 2001     root@davidbsd.viasoft.com.cn:/usr/src/sys/compile/xu  i386
>Description:
FreeBSD 4.2 default install can let other users visit directory /root.
I see it as a security risk. when I install smbfs from posts and put
smbfs passwd config file in /root, I found other users can steal my samba mount password, then I found /root can be visited by other users. a sad day.

the thing never happens in Redhat Linux I ever used, Redhat Linux default does not allow other user visit /root. I think FreeBSD should do it too.

root is not a user, but a God, he has something must not let people know.


>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message