212919 – nobody's home is /

Bug 212919 - nobody's home is /

Summary: nobody's home is /

Status:	RESOLVED DUPLICATE of bug 150159

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://trac.lighttpd.net/trac/ticket/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-03-10 11:26 UTC by Julien Cayzac
Modified:	2008-03-10 11:29 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julien Cayzac 2008-03-10 11:26:37 UTC

With Gentoo's default install, the home directory for the user "nobody" is set to "/".
This can lead to some serious security problems such as the one I sent to the lighttpd team (see the link above)
A solution would be to have nobody's home point to a non existent directory.

ps> I don't know what severity I should assign to this one since nothing "crashes" :-/


Reproducible: Always

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2008-03-10 11:29:34 UTC


*** This bug has been marked as a duplicate of bug 150159 ***