Bugtraq mailing list archives

Re: rdist exploit [bsdi]

From: sjg () quick com au (Simon J. Gerraty)
Date: Thu, 18 Jul 1996 00:23:20 +1000


Chris Siebenmann writes:

The real way to fix this hole in rdist is to run a version of rdist
that is not setuid root. Patching the source and leaving rdist setuid
root is just a bandaid until the next exploit is found.


Quite agree.

The only reason rdist is setuid root is so it can use rcmd(); it is
easy to write a replacement for rcmd() that forks rsh. I did this and
announced it back in November of 1991, when the first rdist security


If you really want it safe, you can (soon) use SSLrdist (and SSLrcp,
SSLrsh etc).  None of these are set-uid, as SSLr* don't bother with reserved
ports (what's the point?) and in general SSLrshd does not care
where the client is calling from - his certificate proves who he is.

The rdist is the current USC version but calling ssl_rcmd()
and yes you could just use rdist -P SSLrsh, but if you were updating multiple
hosts with a certificate that needed a passwd you'd get bored quickly.

I've not made a public release as currently you need BSD make to build it
and that upsets some folk, so when I've done a set of gmake makefiles
and configure etc, I'll put it up for ftp.

In the meantime, check out http://www.quick.com.au/sjg/SSLrsh.html


--
Simon J. Gerraty        <sjg () zen void oz au>

#include <disclaimer>   /* imagine something _very_ witty here */

Current thread:

Re: rdist exploit [bsdi] The Terminator rAT (Jul 12)
- <Possible follow-ups>
- Re: rdist exploit [bsdi] Max Vision (Jul 13)
- Re: rdist exploit [bsdi] Andrew Kosyakov (Jul 14)
  - Re: rdist exploit [bsdi] Chris Siebenmann (Jul 16)
- Re: rdist exploit [bsdi] Simon J. Gerraty (Jul 17)