Bugtraq mailing list archives

Re: Security Info (root broken) (fwd)

From: mjo () msen com (Mike O'Connor)
Date: Thu, 29 Sep 1994 19:59:48 -0400 (EDT)


:From: Pug <pug () arlut utexas edu>
:As I remember the race condition, you don't have a problem if you don't
:allow the 'r' commands into your system. The race condition created a
:.rhosts file for accounts that had UID 0, but no existing .rhosts file.
:I can't find my copy of the exploit anymore to be certain. As well, you
:had to start on the system, so it wasn't that much of an external job
:anyway.
:
:I see allowing 'r' commands into your installation as a Bad Thing anyway.

The "r" commands are the most heterogeneous way of providing 8-bit
connectivity to a system.  If you disallow the "r" commands, you may
find that you have grief with terminal server products and some of the
alternative protocols that are less battle-worn (look at the headaches
that the stock BSD 4.4 telnet/telnetd has given people with option
negotiation).  While it's nice in theory, it could be bad in practice.  

-- 
 Mike O'Connor, mjo () msen com
 http://www.msen.com/~mjo/

"What's this stuff?  I'm not gonna eat it!"  -Calvin

Current thread:

Re: Security Info (root broken) (fwd) Mike O'Connor (Sep 29)
- <Possible follow-ups>
- Re: Security Info (root broken) (fwd) der Mouse (Sep 30)
- Re: Security Info (root broken) (fwd) kingpin () gnu ai mit edu (Sep 30)