From owner-freebsd-security  Fri Jun 28 17:41:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA19413
          for security-outgoing; Fri, 28 Jun 1996 17:41:12 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA19349
          for <security@freebsd.org>; Fri, 28 Jun 1996 17:39:48 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id RAA00458; Fri, 28 Jun 1996 17:38:58 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199606290038.RAA00458@kdat.calpoly.edu>
Subject: Re: I need help on this one - please help me track this guy down!
To: terry@lambert.org (Terry Lambert)
Date: Fri, 28 Jun 1996 17:38:57 -0700 (PDT)
In-Reply-To: <199606271830.LAA05468@phaeton.artisoft.com> from "Terry Lambert" at Jun 27, 96 11:30:17 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> > > Seriously, you must be root to create a setuid root file.  It doesn't
> > > matter *how* you try to create it.
> > 
> > A five dollar question Vince:
> > 
> > does root have .rhosts in his home directory?  What is to be found there?
> > If he does, throw it away; it's enormously insecure.  Similar with
> > /etc/host.equiv et cetera.
> 
> man ruserok
> 
> The authentication for vouchsafe protocols (rcmd/rsh based protocols)
> *specifically* ignores hosts.equiv and hosts.lpd for root.  If root
> does not have a .rhosts, then it is secure from vouchsafe attack this
> way.

Nice try, Terry, but since /bin and /usr/bin and all the binaries on the
system are owned by bin, a hosts.equiv might as well allow root access.
I can su to bin on my host, rsh over to victim, replace /usr/libexec/telnetd
with a script, telnet to localhost, and have my script run as root.

As I have said many times before, this is a vulnerable path to allowing normal
users (in this case bin) more privileges than necessary.  All binaries run as
root MUST be owned by root.  Any other protection is inadequate.

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854