>Number:         12741
>Category:       pkg
>Synopsis:       lsof by default allows any user to list the files of any other user
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 24 10:32:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     anne@alcor.concordia.ca
>Release:        1.5
>Organization:
Concordia University
>Environment:
NetBSD eridani.concordia.ca 1.5 NetBSD 1.5 (ERIDANI) #1: Tue Mar 20 15:48:34 EST 2001     anne@eridani.concordia.ca:/big/sources/usr/src/sys/arch/i386/compile/ERIDANI i386

>Description:
lsof lists any set of open files without checking first that
the caller is root; ordinary users should be able to list only
their own open files.  The ability of an ordinary user to list
the files of any other user, including root, could be a security
risk by revealing information that should be private.
>How-To-Repeat:
run lsof as a non-privileged user.
>Fix:
Edit dialects/n+obsd/machine.h to decomment the definition
of HASSECURITY.
>Release-Note:
>Audit-Trail:
>Unformatted: