Date: Fri, 7 Jul 2006 20:30:01 -0400 From: Mikhail Teterin <mi+mx@aldan.algebra.com> To: net@freebsd.org Cc: freebsd-security@freebsd.org, imp@freebsd.org Subject: strange limitation on rcmd() Message-ID: <200607072030.01999.mi%2Bmx@aldan.algebra.com>
next in thread | raw e-mail | index | archive | help
The manual page says, that rcmd() is only to be used by root's processes. On other OSes (Solaris, AIX), trying to call rcmd() without being root simply fails. FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled. Why? My understanding is, this is to make it harder for would-be attackers to attack machines with .rhosts-based security. But that is nothing more than a bad band-aid anyway -- attacker's own implementation of rcmd() (without the geteuid() checks) is trivial... So, without providing any meaningful security improvement (who is relying on .rhosts for security anyway?!), we are impeding a very useful functionality. rcmd offers an efficient way to send your data to a command "abroad" and even has a mechanism for getting the remote's stderr -- assuming, your network is secure enough for you to trust .rhosts. Why are we duplicating the misguided efforts of commercial Unixes and limiting it to root only? "Mechanism, not policy", please... -mi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607072030.01999.mi%2Bmx>