From owner-freebsd-bugs  Tue May  6 19:50:06 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id TAA25832
          for bugs-outgoing; Tue, 6 May 1997 19:50:06 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id TAA25818;
          Tue, 6 May 1997 19:50:03 -0700 (PDT)
Resent-Date: Tue, 6 May 1997 19:50:03 -0700 (PDT)
Resent-Message-Id: <199705070250.TAA25818@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, mark@linus.demon.co.uk
Received: from linus.demon.co.uk (linus.demon.co.uk [158.152.10.220])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA25667
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 6 May 1997 19:47:06 -0700 (PDT)
Received: (from mark@localhost)
	by linus.demon.co.uk (8.8.5/8.8.5) id DAA20678;
	Wed, 7 May 1997 03:47:38 +0100 (BST)
Message-Id: <199705070247.DAA20678@linus.demon.co.uk>
Date: Wed, 7 May 1997 03:47:38 +0100 (BST)
From: Mark Valentine <mark@linus.demon.co.uk>
Reply-To: mark@linus.demon.co.uk
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: bin/3524: rlogin doesn't read $HOSTALIASES for non-root users
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         3524
>Category:       bin
>Synopsis:       rlogin doesn't read $HOSTALIASES for non-root users
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May  6 19:50:02 PDT 1997
>Last-Modified:
>Originator:     Mark Valentine
>Organization:
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:
>Description:

	Revision 1.13 of libc/net/res_query.c breaks usage of user HOSTALIASES
	file with setuid/setgid programs (such as rlogin), unless the user is
	root.

>How-To-Repeat:

	$ echo foohost foohost.some.domain >>$HOME/.hosts
	$ export HOSTALIASES=$HOME/.hosts
	$ rlogin foohost
	foohost: Unknown host

>Fix:
	
	Perhaps the security check might be a little more clever (along
	the lines of the ~/.rhosts check in iruserok()) - don't fail if
	the file is world readable, or if the real user is the owner of
	the file.

>Audit-Trail:
>Unformatted: