From owner-freebsd-bugs  Tue Oct 15 10:27:50 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA22220
          for bugs-outgoing; Tue, 15 Oct 1996 10:27:50 -0700 (PDT)
Received: from typhoon.dial.pipex.net (typhoon.dial.pipex.net [158.43.128.46])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA22215
          for <bugs@freebsd.org>; Tue, 15 Oct 1996 10:27:48 -0700 (PDT)
Received:  from gazebo.candler.demon.co.uk by typhoon.dial.pipex.net (8.7.5/)
	id SAA27760; Tue, 15 Oct 1996 18:26:45 +0100 (BST)
Received: (from brian@localhost) by gazebo.candler.demon.co.uk (8.6.12/8.6.9) id SAA02460; Tue, 15 Oct 1996 18:09:58 +0100
From: Brian Candler <B.Candler@pobox.com>
Message-Id: <199610151709.SAA02460@gazebo.candler.demon.co.uk>
Subject: FreeBSD security bug
To: bugs@freebsd.org
Date: Tue, 15 Oct 1996 18:09:57 +0100 (BST)
Cc: t12@psg.com
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I found what I believe is a security bug in FreeBSD while using it in the
NATO Advanced Networking Workshop in St Petersburg.

It appears that if a FreeBSD box has no root password, it will accept 'r'
commands for root from *any* machine, even with no entry in ~root/.rhosts

This was actually quite useful (we could 'rdist' files from any PC to any
other PC without having to enable it on the destination machines) but I
presume unintentional :-)

Brian Candler
<B.Candler@pobox.com>