Bugtraq mailing list archives

Re: Fix for Linux/AIX login hole

From: long-morrow () cs yale edu (H Morrow Long)
Date: Mon, 23 May 1994 17:22:48 -0400

Date: Mon, 23 May 1994 16:21:58 -0400
From: Rens Troost <rens () imsi com>

On Mon, 23 May 1994 10:01:17 -0700, Karyn Pichnarczyk <karyn () cheetah llnl gov> said:


 karyn> Not sufficient.  Does not keep people from logging in as a
 karyn> user other than root.

Also fairly time-consuming on a network with several thousands of
them...smit was built by mainframers.

-Rens


Actually you don't have to run smit, just do a :

        chuser rlogin='false' root

Of course this is no substitute for the IBM emergency patch which should
be installed as well.  I do recommend removing the ability to rlogin to
a root account.  There is no valid reason for root to be able to rlogin
(well there might be a few but they are not as powerful as the arguments
against).  /bin/su is the preferred method of becoming root and you can
still telnet in and login on the console as root (I would encourage you
to turn off the ability to telnet in and login as root as well, but...).

B.T.W. For those people who may have many (tens or hundreds of RS6ks 
I've appended a shell script which automates the disabling of root rlogin
capability and the installation of the IBM AIX emergency patch
(no express warranties or liability, your mileage may vary).
Appended is the shell script based on the official CERT announcement on the
AIX RS/6000 security hole plus another precaution (disables rlogin to root).

If you want it to install IBM emergency patch you must ftp
ftp://software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z
and uncompress and untar it ( zcat rlogin.tar.Z | tar xvpf - ) somewhere.

Then set the following variables for this shell script:

AIX_VERSION

AIX_PATCH_DIR

This script does the following:

1.      As root, disables being able to rlogin to root

        chuser rlogin='false' root

2.      Disables the remote login rlogin service in /etc/inetd.conf, 
                then do 'inetimp' and 'refresh -s inetd'

3.      Installs the IBM emergency patch.

4.      Enable the remote login rlogin service in /etc/inetd.conf, 
                then do 'inetimp' and 'refresh -s inetd'

5.      Test.

                                        - Morrow

#!/bin/sh
# 
#        H. Morrow Long, Yale CSCF
# 
# Version "tsm-3.2.0".
AIX_VERSION="tsm-3.2.0"
#
# Patch path directory /cs/local/src/AIX/rlogin/
AIX_PATCH_DIR="/cs/local/src/AIX/rlogin"

AIX_TSM_PATCH="$AIX_PATCH_DIR/$AIX_VERSION"

# Root should NOT be allowed to rlogin as user ROOT anyway!  DISABLE root rlogin
# 
chuser rlogin='false' root
# 
# 
#            1. As root, edit /etc/inetd.conf
#               Comment out the line 'login ... rlogin'

sed 's/^login/# login/' /etc/inetd.conf > /tmp/inetd.conf.NEW
cp -p /etc/inetd.conf /etc/inetd.conf.BACKUP
cp /tmp/inetd.conf.NEW /etc/inetd.conf

#            2. Run 'inetimp'
inetimp
#            3. Run 'refresh -s inetd'
refresh -s inetd
# 
# 
# 
# APAR IX44254 -- rlogin security hole
# 
# This document describes how to apply the emergency patch for APAR
# IX44254.  This emergency patch is not the permanent solution to this
# problem, it merely provides a means to restore rlogin functionality
# in a more secure manner.
# 
# Begin by identifying the correct level for your system.  The command
# "oslevel" may be used for this purpose on AIX v3.2 systems.  For AIX
# v3.1 systems you must know the last maintenance level which was
# applied.
# 
# If the "oslevel" command returns "oslevel: not found" or a similar
# message from the shell, you must use "tsm-3.2.0".
# 
# If the "oslevel" command returns "<3240" or "<>3240", you must use
# "tsm-3.2.0".
# 
# If the "oslevel" command returns "=3240", ">3240", "<3250" or "<>3250",
# you must use "tsm-3.2.4".
# 
# If the "oslevel" command returns "=3250" or ">3250", you must use
# "tsm-3.2.5".
# 
# 
# Once you have determined the correct version, execute the following
# steps.
# 
# 1). "cd /usr/sbin"
cd /usr/sbin
# 2). If the file "tsm.ix44254" does not exist, execute "mv tsm tsm.ix44254"
mv tsm tsm.ix44254
# 3). "cp <version> tsm" where "<version>" was figured out above.
# "tsm-3.2.0".

# cp /cs/local/src/AIX/rlogin/tsm-3.2.0 ./tsm
cp "${AIX_TSM_PATCH}" ./tsm

# 3). "rm -f login getty"
rm -f login getty
# 4). "chown root.security tsm"
chown root.security tsm
# 5). "chmod 4554 tsm"
chmod 4554 tsm
# 6). "ln tsm login"
ln tsm login
# 7). "ln tsm getty"
ln tsm getty
# 8). "chmod a-x tsm.ix44254"
chmod a-x tsm.ix44254
# 

cp -p /etc/inetd.conf.BACKUP /etc/inetd.conf

#            2. Run 'inetimp'
inetimp
#            3. Run 'refresh -s inetd'
refresh -s inetd
# 

# 
# You may verify that the new login command is working correctly with the
# command
# 
#       rlogin localhost
rlogin localhost

# -------------------end of file --------------------

Current thread:

Re: Fix for Linux/AIX login hole Serge J. Goldstein (May 23)
- Re: Fix for Linux/AIX login hole Doug McLaren (May 23)
- <Possible follow-ups>
- Re: Fix for Linux/AIX login hole Doug Siebert (May 23)
  - Re: Fix for Linux/AIX login hole Christopher Klaus (May 23)
- Re: Fix for Linux/AIX login hole H Morrow Long (May 23)
  - Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)
    - Re: Fix for Linux/AIX login hole George Boyce (May 24)
    - Re: Fix for Linux/AIX login hole Perry E. Metzger (May 24)