From owner-freebsd-hackers  Fri May 12  8:10:47 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP id 1D38637BDDD
	for <hackers@freebsd.org>; Fri, 12 May 2000 08:10:45 -0700 (PDT)
	(envelope-from Jan.Grant@bristol.ac.uk)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Fri, 12 May 2000 16:10:33 +0100
Received: from localhost (cmjg@localhost)	by mail.ilrt.bris.ac.uk (8.8.7/8.8.8) 
          with ESMTP id QAA04749;	Fri, 12 May 2000 16:10:27 +0100 (BST)
Date: Fri, 12 May 2000 16:10:27 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
To: Nick Sayer <nsayer@quack.kfu.com>
Cc: hackers@freebsd.org
Subject: Re: rexec as root
In-Reply-To: <391C12B5.E5A2DCD3@quack.kfu.com>
Message-ID: <Pine.GHP.4.21.0005121606390.487-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 12 May 2000, Nick Sayer wrote:

> I would like to gather some opinions in regards to _very slightly_
> backing off
> on rexec's security.

Don't do it?

> rexec makes the following checks...
[ uid==0, password blank, uname in /etc/ftpusers ]

> I put it to everyone that the first and third checks are equivalent and

What you say is correct, but personally I think deprecated really should
mean deprecated. There are better alternatives to rexec (ssh - open or
otherwise) and they ought to be pushed.

If admins _really_ want this functionality, patching the source isn't so much
of a hardship. But it makes the path f least resistance the installation
of a better alternative :-)

jan

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287163 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
Spreadsheet through network. Oh yeah.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message