Bugtraq mailing list archives
Re: Security Info (root broken) (fwd)
From: mjo () msen com (Mike O'Connor)
Date: Thu, 29 Sep 1994 19:59:48 -0400 (EDT)
:From: Pug <pug () arlut utexas edu> :As I remember the race condition, you don't have a problem if you don't :allow the 'r' commands into your system. The race condition created a :.rhosts file for accounts that had UID 0, but no existing .rhosts file. :I can't find my copy of the exploit anymore to be certain. As well, you :had to start on the system, so it wasn't that much of an external job :anyway. : :I see allowing 'r' commands into your installation as a Bad Thing anyway. The "r" commands are the most heterogeneous way of providing 8-bit connectivity to a system. If you disallow the "r" commands, you may find that you have grief with terminal server products and some of the alternative protocols that are less battle-worn (look at the headaches that the stock BSD 4.4 telnet/telnetd has given people with option negotiation). While it's nice in theory, it could be bad in practice. -- Mike O'Connor, mjo () msen com http://www.msen.com/~mjo/ "What's this stuff? I'm not gonna eat it!" -Calvin
Current thread:
- Re: Security Info (root broken) (fwd) Mike O'Connor (Sep 29)
- <Possible follow-ups>
- Re: Security Info (root broken) (fwd) der Mouse (Sep 30)
- Re: Security Info (root broken) (fwd) kingpin () gnu ai mit edu (Sep 30)