From owner-freebsd-bugs Sat Sep 15 7:30: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9ECF637B405 for ; Sat, 15 Sep 2001 07:30:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f8FEU1c90062; Sat, 15 Sep 2001 07:30:01 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BF5D137B414 for ; Sat, 15 Sep 2001 07:20:22 -0700 (PDT) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f8FEKMc89083; Sat, 15 Sep 2001 07:20:22 -0700 (PDT) (envelope-from nobody) Message-Id: <200109151420.f8FEKMc89083@freefall.freebsd.org> Date: Sat, 15 Sep 2001 07:20:22 -0700 (PDT) From: Gavin Atkinson To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA? Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 30590 >Category: misc >Synopsis: /etc/hosts.equiv and ~/.rhosts interaction violates POLA? >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Sep 15 07:30:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Gavin Atkinson >Release: 4.4-RC5 >Organization: URY >Environment: FreeBSD ury3.york.ac.uk 4.4-RC FreeBSD 4.4-RC #3: Fri Sep 14 22:17:55 BST 2001 root@ury3.york.ac.uk:/usr/obj/usr/src/sys/GENERIC i386 >Description: A user can override a system-wide 'disallow' entry in /etc/hosts.equiv by allowing it in his .rhosts. Similarly, users cannot override system-wide 'allow' entries in /etc/hosts.equiv by disallowing it in his .rhosts Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised. Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins. I believe a 'disallow' entry in either file should not be overridable. This seems to have existed throughout the 4.x series >How-To-Repeat: Add the following to hosts.equiv: -foo.bar.com a user can override this global diallow by adding the following to his .rhosts file: +foo.bar.com Similarly, the following in hosts.equiv: +bar.foo.com cannot be overrided by adding the following to a users .rhosts file: -bar.foo.com (both tested with rlogin on 4.1-R, 4.3-R and 4.4-RC5) >Fix: Seems pretty difficult to fix nicely without a major re-write of __ivaliduser_sa, iruserok_sa and related functions in /usr/src/lib/libc/net/rcmd.c. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message