From nobody@FreeBSD.org Fri Feb 23 01:31:15 2001 Return-Path: Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9034F37B401 for ; Fri, 23 Feb 2001 01:31:12 -0800 (PST) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f1N9VCF47928; Fri, 23 Feb 2001 01:31:12 -0800 (PST) (envelope-from nobody) Message-Id: <200102230931.f1N9VCF47928@freefall.freebsd.org> Date: Fri, 23 Feb 2001 01:31:12 -0800 (PST) From: davidx@viasoft.com.cn To: freebsd-gnats-submit@FreeBSD.org Subject: default install allows other user visit directory /root X-Send-Pr-Version: www-1.0 >Number: 25301 >Category: misc >Synopsis: default install allows other user visit directory /root >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Feb 23 01:40:01 PST 2001 >Closed-Date: Fri Feb 23 06:59:58 PST 2001 >Last-Modified: Fri Feb 23 07:10:01 PST 2001 >Originator: David Xu >Release: FreeBSD-4.2 STABLE >Organization: viasoft >Environment: FreeBSD davidbsd.viasoft.com.cn 4.2-STABLE FreeBSD 4.2-STABLE #5: Thu Feb 22 11: 39:34 CST 2001 root@davidbsd.viasoft.com.cn:/usr/src/sys/compile/xu i386 >Description: FreeBSD 4.2 default install can let other users visit directory /root. I see it as a security risk. when I install smbfs from posts and put smbfs passwd config file in /root, I found other users can steal my samba mount password, then I found /root can be visited by other users. a sad day. the thing never happens in Redhat Linux I ever used, Redhat Linux default does not allow other user visit /root. I think FreeBSD should do it too. root is not a user, but a God, he has something must not let people know. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: will State-Changed-When: Fri Feb 23 06:59:58 PST 2001 State-Changed-Why: If you have something particularly important in your root, try ``chmod 700 /root''. Next time post a message like this to -questions. http://www.freebsd.org/cgi/query-pr.cgi?pr=25301 From: "Michael C . Wu" To: davidx@viasoft.com.cn Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/25301: default install allows other user visit directory /root Date: Fri, 23 Feb 2001 08:58:10 -0600 On Fri, Feb 23, 2001 at 01:31:12AM -0800, davidx@viasoft.com.cn scribbled: | | >Number: 25301 | >Category: misc | >Synopsis: default install allows other user visit directory /root | >Confidential: no | >Severity: non-critical | >Priority: low | >Responsible: freebsd-bugs | >State: open | >Quarter: | >Keywords: | >Date-Required: | >Class: sw-bug | >Submitter-Id: current-users | >Arrival-Date: Fri Feb 23 01:40:01 PST 2001 | >Closed-Date: | >Last-Modified: | >Originator: David Xu | >Release: FreeBSD-4.2 STABLE | >Organization: | viasoft | >Environment: | FreeBSD davidbsd.viasoft.com.cn 4.2-STABLE FreeBSD 4.2-STABLE #5: Thu Feb 22 11: | 39:34 CST 2001 root@davidbsd.viasoft.com.cn:/usr/src/sys/compile/xu i386 | >Description: | FreeBSD 4.2 default install can let other users visit directory /root. | I see it as a security risk. when I install smbfs from posts and put | smbfs passwd config file in /root, I found other users can steal my samba mount password, then I found /root can be visited by other users. a sad day. | | the thing never happens in Redhat Linux I ever used, Redhat Linux default does not allow other user visit /root. I think FreeBSD should do it too. | | root is not a user, but a God, he has something must not let people know. | This is a problem that you as a user needs to solve and setup correctly. You misconfigured your samba anyways. Had you been more experienced, you would never be doing what you are trying to do. man chmod. Redhat has the same behavior as FreeBSD for directory permissions. This is not a security risk. -- +------------------------------------------------------------------+ | keichii@peorth.iteration.net | keichii@bsdconspiracy.net | | http://peorth.iteration.net/~keichii | Yes, BSD is a conspiracy. | +------------------------------------------------------------------+ >Unformatted: