From owner-freebsd-security Thu Aug 8 22:04:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA07501 for security-outgoing; Thu, 8 Aug 1996 22:04:04 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA07468 for ; Thu, 8 Aug 1996 22:04:01 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id UAA02907 for ; Thu, 8 Aug 1996 20:48:44 -0700 (PDT) Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id VAA07285 for ; Thu, 8 Aug 1996 21:48:19 -0600 (MDT) Message-Id: <199608090348.VAA07285@rover.village.org> To: security@freebsd.org Subject: rdist holes and such. Date: Thu, 08 Aug 1996 21:48:19 -0600 From: Warner Losh Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FYI. I don't think that FreeBSD is vulnerable, but I thought I'd pass this along just in case. It is from bugtraq, and edited by me. I hope I didn't drop anything. Looking at the commit messages go by, I'd say this was a very complete code review of the entire rdist source. Todd Miller and I have a beer from time to time and he's a good guy. Someone with more time on their hands than myself might want to see if there is anything here that the FreeBSD sources might be lacking. Warner ------- Forwarded Message [ Headers edited by imp ] Date: Thu, 8 Aug 1996 20:20:21 -0600 Sender: Bugtraq List From: Theo de Raadt Subject: Re: /etc/shells (was Re: procmail) To: Multiple recipients of list BUGTRAQ [...] Ob. Security hole fix: If anyone wants to see a really secure rdist setup that solves all the problems (all the problems *I* know about..), take a look at the OpenBSD sources. - -r-xr-xr-x 1 root bin 212992 Aug 6 21:12 usr/bin/oldrdist* - -r-xr-xr-x 1 root bin 229376 Aug 6 21:12 usr/bin/rdist* - -r-xr-xr-x 1 root bin 163840 Aug 6 21:12 usr/bin/rdistd* Note they are not setuid. "oldrdist" is the old original rdist with all the known bugs fixed and modified to callout to "rsh" for setting up the connection. The "rsh" callout code is borrowed from new "rdist"; "rdist" is the latest 6.1 version with some more fixes by us. Since "oldrdist" and new "rdist" are not protocol compatible, it is important to have both. New "rdist" was written to know how to callout to "oldrdist" if it discovers the older protocol (or something like that). I am also happy to see that new "rdist" uses mkstemp() which makes it `safer' to ship a dist which contain writable directories. Thanks to Todd Miller for doing most of this work, I'm quite happy with it (I noted some of the problems but did none of the fixing) Who knows, some of you might indirectly benefit from this stuff. ------- End of Forwarded Message