On 8/10/05, Paul Howarth <paul@xxxxxxxxxxxx> wrote: > Ankush Grover wrote: > > the permissions on user's home directory r normally 700 or 770 .But i > > was able to view the contents of the home directories of any user > > including root user home directory from the browser.I tried this with > > about 5 users and those users don't have any root privileges they r > > just normal users but they were able to read the contents of root and > > other user's home directory and that indeed is a security breach. > > I can't reproduce this here (fc4). > > Putting "file:///root/" in the firefox address bar does nothing. > > Putting "file:///my/home/directory/" browses to my directory. > > Can you browse other directories (e.g. /root) using nautilus? > > What's the output of "ls -ld / /root"? > > None of this is anything to do with apache btw - file:// URLs are > handled directly by the browser and aren't sent to a server. > > Paul. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > I cannot reproduce that on a stock fc3 install, if I put file:///home I can see the home directories of all of the users, but I cannot browse to any of them but my own. One question, could you have changed the browser binary to be suid or run with root permissions? Only thing I can think of. John
