Bugtraq mailing list archives

Re: rdist exploit [bsdi]

From: cks () hawkwind utcs toronto edu (Chris Siebenmann)
Date: Tue, 16 Jul 1996 18:09:52 -0400


 The real way to fix this hole in rdist is to run a version of rdist
that is not setuid root. Patching the source and leaving rdist setuid
root is just a bandaid until the next exploit is found.

 The only reason rdist is setuid root is so it can use rcmd(); it is
easy to write a replacement for rcmd() that forks rsh. I did this and
announced it back in November of 1991, when the first rdist security
hole was announced, and you can get the code from ftp.sys.utoronto.ca
as /pub/rdist.tar.gz. Versions of rdist 6 have come non-setuid for some
time, after John DiMarco took my change and integrated it.

 I find rdist's continuing setuid state (and the resulting security
exposures that turn up) a stunning testimony to just how much vendors
really care about Unix security.

--
                "there used to be two moons
                 then one of them
                 discovered coffee."            - Curtis Yarvin
cks () hawkwind utcs toronto edu              ...!{utgpu,utzoo,watmath}!utgpu!cks

Current thread:

Re: rdist exploit [bsdi] The Terminator rAT (Jul 12)
- <Possible follow-ups>
- Re: rdist exploit [bsdi] Max Vision (Jul 13)
- Re: rdist exploit [bsdi] Andrew Kosyakov (Jul 14)
  - Re: rdist exploit [bsdi] Chris Siebenmann (Jul 16)
- Re: rdist exploit [bsdi] Simon J. Gerraty (Jul 17)