Bugtraq mailing list archives
Re: rdist exploit [bsdi]
From: sjg () quick com au (Simon J. Gerraty)
Date: Thu, 18 Jul 1996 00:23:20 +1000
Chris Siebenmann writes:
The real way to fix this hole in rdist is to run a version of rdist that is not setuid root. Patching the source and leaving rdist setuid root is just a bandaid until the next exploit is found.
Quite agree.
The only reason rdist is setuid root is so it can use rcmd(); it is easy to write a replacement for rcmd() that forks rsh. I did this and announced it back in November of 1991, when the first rdist security
If you really want it safe, you can (soon) use SSLrdist (and SSLrcp, SSLrsh etc). None of these are set-uid, as SSLr* don't bother with reserved ports (what's the point?) and in general SSLrshd does not care where the client is calling from - his certificate proves who he is. The rdist is the current USC version but calling ssl_rcmd() and yes you could just use rdist -P SSLrsh, but if you were updating multiple hosts with a certificate that needed a passwd you'd get bored quickly. I've not made a public release as currently you need BSD make to build it and that upsets some folk, so when I've done a set of gmake makefiles and configure etc, I'll put it up for ftp. In the meantime, check out http://www.quick.com.au/sjg/SSLrsh.html -- Simon J. Gerraty <sjg () zen void oz au> #include <disclaimer> /* imagine something _very_ witty here */
Current thread:
- Re: rdist exploit [bsdi] The Terminator rAT (Jul 12)
- <Possible follow-ups>
- Re: rdist exploit [bsdi] Max Vision (Jul 13)
- Re: rdist exploit [bsdi] Andrew Kosyakov (Jul 14)
- Re: rdist exploit [bsdi] Chris Siebenmann (Jul 16)
- Re: rdist exploit [bsdi] Simon J. Gerraty (Jul 17)