Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Mon, 22 Jan 2001 09:36:47 -0500
From: Jason Tishler <Jason DOT Tishler AT dothill DOT com>
To: Keith Starsmeare <keith_starsmeare AT yahoo DOT co DOT uk>
Cc: cygwin AT cygwin DOT com
Subject: Re: rsh -l doesn't require a password
Message-ID: <20010122093647.A343@dothill.com>
Mail-Followup-To: Keith Starsmeare <keith_starsmeare AT yahoo DOT co DOT uk>,
	cygwin AT cygwin DOT com
References: <Pine DOT CYG DOT 4 DOT 31 DOT 0101221409310 DOT 316-100000 AT kampala DOT analog DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.CYG.4.31.0101221409310.316-100000@kampala.analog.com>; from keith_starsmeare@yahoo.co.uk on Mon, Jan 22, 2001 at 02:12:01PM +0000
Organization: Dot Hill Systems Corp.

Keith,

On Mon, Jan 22, 2001 at 02:12:01PM +0000, Keith Starsmeare wrote:
> There appears to be a security problem with the inetd. I can access my
> NT box via rsh remotely without giving a password if I use the -l
> option to specify a valid user account:
> 
>   % rsh -l kstarsm kampala id
>   uid=18(system) gid=512(domadmin) groups=512(domadmin)
> 
> As I haven't set up the hosts.equiv or .rhosts files I would hope to see:
>   % rsh -l kstarsm kampala id
>   Permission denied.

IMO, it is a bug in rshd which is due to the following (from
inetutils-1.3.2/rshd/rshd.c):

void
doit(fromp)
    struct sockaddr_in *fromp; 
{
..
                if (errorstr ||
***>                pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
                    iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0,
                    remuser, locuser) < 0) {
                        if (__rcmd_errstr)
                                syslog(LOG_INFO|LOG_AUTH,
                            "%s@%s as %s: permission denied (%s).  cmd='%.80s'",
                                    remuser, hostname, locuser, __rcmd_errstr,
                                    cmdbuf);
..
}

Since Cygwin's mkpasswd creates an empty pw_passwd field, the above
code never calls iruserok().  Hence, any user is allowed rsh access.

I "fixed" the problem by inserting asterisks into the pw_passwd
fields in my /etc/passwd file.  For example:

    jt:*:1004:513:Jason Tishler,S-1...
       ^
       +--- here

I never submitted a patch because it seems like the s-commands (i.e.,
ssh) are much more in vogue then the r-commands (i.e., rsh) now a days.

Jason

-- 
Jason Tishler
Director, Software Engineering       Phone: +1 (732) 264-8770 x235
Dot Hill Systems Corp.               Fax:   +1 (732) 264-8798
82 Bethany Road, Suite 7             Email: Jason DOT Tishler AT dothill DOT com
Hazlet, NJ 07730 USA                 WWW:   http://www.dothill.com

--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple