Date: Mon, 3 Jul 2000 18:26:07 -0400 (EDT) From: Brian Dean <bsd@bsdhome.com> To: freebsd-security@freebsd.org Subject: rshd patch (security) - please comment (fwd) Message-ID: <Pine.BSF.4.21.0007031821410.21917-100000@vger.bsdhome.com>
next in thread | raw e-mail | index | archive | help
Hi,
Someone brought to my attention that this patch should get wider
review, -security was suggested and seems appropriate. My apologies
for not sending it here in the first place.
Comments welcome!
Thanks,
-Brian
---------- Forwarded message ----------
Date: Mon, 3 Jul 2000 15:16:33 -0400 (EDT)
From: Brian Dean <bsd@bsdhome.com>
To: committers@freebsd.org
Subject: rshd patch (security) - please comment
Hi,
Currently, in rshd, if the target user account does not contain a
password, access is granted, regardless of what .rhosts says. I think
this is a bug and should be removed (please see the included patch).
Consider the case of the root account, where network ttys are marked
insecure, and thus, root access should be denied on that basis. This
mis-feature allows root from any remote system to gain network access,
which would otherwise be denied. For example, one can:
rsh foo 'export DISPLAY=bar:0; /usr/X11R6/bin/xterm'
Where machine 'foo' does not have a root password (but the console may
otherwise be secure).
You may say to just put on a root password and be done with it. While
that is true, the logic of 'rshd' is such that it breaks the
expectation that root can only gain login access via the console.
Surely this is not the intended behaviour.
Any comments from our security and RFC experts?
If there are no objections, I will commit this in a few days. While
this patch won't help if someone installs a .rhosts file for root
(they do this knowingly and can shoot off their own feet if they so
choose), it will at least not bypass the check for a .rhosts file
simply because no password is present, which some may have felt was
secure as long as their console was secure.
Thanks,
-Brian
--
Brian Dean
bsd@FreeBSD.org
Index: rshd.c
===================================================================
RCS file: /home/ncvs/src/libexec/rshd/rshd.c,v
retrieving revision 1.31
diff -u -r1.31 rshd.c
--- rshd.c 2000/04/29 12:02:00 1.31
+++ rshd.c 2000/07/03 17:53:47
@@ -399,9 +399,8 @@
if (errorstr ||
(pwd->pw_expire && time(NULL) >= pwd->pw_expire) ||
- (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
- iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0,
- remuser, locuser) < 0)) {
+ iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0,
+ remuser, locuser) < 0) {
if (__rcmd_errstr)
syslog(LOG_INFO|LOG_AUTH,
"%s@%s as %s: permission denied (%s). cmd='%.80s'",
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007031821410.21917-100000>