Re: Is starting a user program on priv port via inetd dangerous ?

[Jukka.Ukkonen () csc fi (Jukka Ukkonen)]

Quoting Lord of flying horned octopi:
> If rlogind was so easily spoofed, why not just use your own machine, i.e.
> one you have root access on, to spoof someone elses rlogind?

        For the root user rlogind does not scan /etc/hosts.equiv. It only
        looks into /.rhosts when you try to access the root account. You
        would have to spoof DNS!

        Only a brain-dead sys-admin would ever put any other machines but
        those in his own domain to any /etc/hosts.equiv. Those are the only
        machines over which (s)he has unlimited control and can make any
        assumptions about their reliability. (Neither would I ever rely
        any other DNS server but the ones I am administering myself to give
        me correct information about my domain.)

        To the users' personal ~/.rhosts then... Because many normal
        users tend to keep a lot of unreliable machines in their own
        ~/.rhosts some admins turn off the checking of the personal
        .rhosts files. Even though such an entry does not compromise
        directly more than the single user's account it could be used
        as the first access point to a machine to allow further cracking.

        On the whole rlogind is not more easily fooled than is the person
        administering the machine on which rlogind runs. For more security
        one could always compile one's own rlogind (and rshd) and make sure
        the ip-source-route option is not set when a connection is opened.
        One could use tcpd to force the same effect.

        As a general reply to the discussion about the inetd ...
        Because inetd really can start non-root programs with sockets
        bound to ports below 512 you should remember these ports are
        reserved for IANA to assign. Ports from 512 to 1023 were originally
        reserved for UNIX services like rlogind (login), rshd (shell),
        rexecd (exec) and are in fact also IANA's domain but these can be
        temporarily assigned by local sys-admins too on as needed basis.

        On the whole there is no other real advantage making a server to
        run on a controlled (1023 or below) port but to know a normal
        user usually cannot steal a well known port for some other purpose
        thus making a well known service unavailable on the particular
        machine. (This only goes as far as your machine is a multiuser
        host that makes a difference between normal and controlled ports.)
        Relying on a attempted connection coming from a port with number
        1023 or below makes sense only as far as you can rely on the remote
        peer to enforce the policy that only root can allocate a controlled
        port, and know the root on that particular machine has no malicious
        interest towards our machine. (Generally this means that the peer
        machines have the same admins.)

        If the irc community wants to gain a "well known service" status
        for irc/ircd, please, do so by negotiating with IANA.

        Cheers,
                // jau
------
  /    Jukka A. Ukkonen, M.Sc. (tech.) Centre for Scientific Computing
 /__   Internet: ukkonen () csc fi            Tel:  (Home) +358-0-578628
   /   Internet: jau () cs tut fi                   (Work) +358-0-4573208
  v    X.400:    c=fi, admd=fumail, no prmd, org=csc, pn=jukka.ukkonen