From owner-freebsd-security Thu Mar 20 14:31:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA02332 for security-outgoing; Thu, 20 Mar 1997 14:31:41 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA02299 for ; Thu, 20 Mar 1997 14:31:30 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP id XAA26502 for ; Thu, 20 Mar 1997 23:31:12 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id XAA15496 for freebsd-security@freebsd.org; Thu, 20 Mar 1997 23:30:50 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.5/keltia-uucp-2.9) id WAA09788; Thu, 20 Mar 1997 22:02:02 +0100 (CET) Message-ID: <19970320220201.29725@keltia.freenix.fr> Date: Thu, 20 Mar 1997 22:02:01 +0100 From: Ollivier Robert To: FreeBSD Security Subject: Re: rdist exploitation References: <199703192223.RAA13287@vic.cioe.com> <199703201826.NAA06646@roundtable.cif.rochester.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.65,1-4,10,14-18 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3142 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Security Administrator: > As far as I know, rdist is still broken. Your best bet is to > remove the world executable permissions on the program and only allow > root/bin to run it. It has been plugged in 2.2/3.0 a long time ago: revision 1.3 date: 1996/08/10 07:54:11; author: peter; state: Exp; lines: +8 -4 Remove the need for rdist(1) to run setuid, thus completely closing any possibility of a security hole. It now does what rdist-6 does, and calls /usr/bin/rsh if not running as root. There are NO protocol changes, this is 100% compatable with the old rdist, except that it does not need setuid root privs. However, there are some minor differences to the base rdist-6 code in that if it is being run by root, it will call rcmd(3) directly rather than piping everything through rsh(1). This is a little more efficient as it doesn't involve context switching on pipe reads/writes. Also, the -P option was added from rdist-6.1.2, which allows an alternative rsh program to be specified, such as ssh. Note that it requires the fixes to the ssh port to disable the unconditional USE_PIPES option that was recently added. The rcmd(3) optimisation is disabled if a non-rsh program is speficied. -- Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #39: Sun Feb 2 22:12:44 CET 1997