From nobody@FreeBSD.ORG  Mon Oct  9 22:36:28 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id DA5AA37B503; Mon,  9 Oct 2000 22:36:28 -0700 (PDT)
Message-Id: <20001010053628.DA5AA37B503@hub.freebsd.org>
Date: Mon,  9 Oct 2000 22:36:28 -0700 (PDT)
From: kahya@techie.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: Security vunrebility found
X-Send-Pr-Version: www-1.0

>Number:         21887
>Category:       advocacy
>Synopsis:       Security vunrebility found
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-advocacy
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 09 22:40:00 PDT 2000
>Closed-Date:    Mon Oct 9 22:46:27 PDT 2000
>Last-Modified:  Mon Oct  9 22:50:00 PDT 2000
>Originator:     Krish Ahya
>Release:        4.1-STABLE
>Organization:
>Environment:
[intel@marvin:~]$ uname -a
FreeBSD marvin.shell-server.com 4.1.1-STABLE FreeBSD 4.1.1-STABLE #0: Mon Oct  2 10:14:58 CDT 2000     eo@marvin.shell-server.com:/usr/src/sys/compile/MARVINUPBRIEF  i386
>Description:
 I've found a small security hole that allows other users on a bsd box to enter another user's home dir without any authentication.Well I am a user on this box and I found this accidentaly.Here is what happened and what I did.

[intel@marvin:~]$ cd /home

Ok, so, I enter /home and look at this.

[intel@marvin:/home]$ ls
acer/           danny/          hgcrew/         mazurr/         smorky/
action/         danut/          hidden/         mboyer/         sota/
ademko/         dds/            hqanime/        mcp/            spaz/
adrienne/       dewa/           infinity/       mxpx/           speed/
advert/         dimps/          intel/          naujik/         spider/
aljrooo7/       domreg/         ircd/           nebble/         spooky/
andrew/         drillaz/        isislight/      net-tech/       ssrev/
animehq/        dude/           jedi/           ocparty/        swilling/
apache/         eel/            jonza/          omr/            tef/
arcadia/        ellicit/        kakka/          paiakam/        tektonic/
argg/           enthrash/       karl/           pcmaster/       thor/
arity/          eo/             kirler/         penguin/        tkm/
azabel/         ertw/           kook/           picasso/        toril/
azor/           ervin/          koolzie/        polar/          traffic/
bcaldwel/       exes/           korn/           pollo/          triggzz/
bcentrl/        exorcist/       laan/           predator/       upz/
bhs/            farside/        ladybell/       proxy/          v2000/
bilange/        fastzoom/       lees01/         quake/          vcd/
bogus/          fei/            len/            quantum/        water/
brnt/           flash/          logg/           ram/            wheimeng/
bsd/            flea/           lpr/            rangeela/       winnie/
bubba1/         frosty/         luvhurt/        rattan/         woowoo/
cannibal/       ftp/            lynn/           rift/           xerox/
ceyx/           fusion/         macfarla/       rio/            xt-c/
char/           gameover/       madn0rp/        rodrigo/        zetro/
chris2u/        genxcess/       makaveli/       rolex/          zn/
chrome/         gilles/         manmower/       ryanh/
coolkizz/       goldsky/        mastas/         scp58/
cyrus/          hayz/           matt/           slvrdrgn/

Now I do this:

[intel@marvin:/home]$ cd bcentrl
[intel@marvin:/home/bcentrl]$ ls

Whoa, I've just entered bcentrl's home dir and I'm not root!

[intel@marvin:/home/bcentrl]$ ls
Maildir/                                report.tcl
bots/                                   stormbot.tcl
eggdrop1.3.27/                          stormbot.tclstormbot.tclstormbot.tcl
eggdrop1.3.27.tar

This way, I can grab access to any files in that dir.I don't think this should be possible.

Is there a possible fix for this?Maybe file permissions are set wrong?Any info would be helpful.Thank you.




>How-To-Repeat:
Not sure.
>Fix:
Not sure.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: alfred 
State-Changed-When: Mon Oct 9 22:46:27 PDT 2000 
State-Changed-Why:  
user needs to read a book about unix permissions. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=21887 

From: Kris Kennaway <kris@citusc.usc.edu>
To: kahya@techie.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: advocacy/21887: Security vunrebility found
Date: Mon, 9 Oct 2000 22:48:24 -0700

 On Mon, Oct 09, 2000 at 10:36:28PM -0700, kahya@techie.com wrote:
 
 >  I've found a small security hole that allows other users on a bsd box to enter another user's home dir without any authentication.Well I am a user on this box and I found this accidentaly.Here is what happened and what I did.
 
 [...]
 
 Yes, this is how file permissions work. Read up about 'chmod'
 
 Kris
 
>Unformatted:
