Re: strange limitation on rcmd()
- From: Brian Candler <B.Candler@xxxxxxxxx>
- Date: Sat, 8 Jul 2006 22:39:32 +0100
On Fri, Jul 07, 2006 at 08:30:01PM -0400, Mikhail Teterin wrote:
The manual page says, that rcmd() is only to be used by root's processes.
DESCRIPTION
The rcmd() function is used by the super-user to execute a command on a
remote machine using an authentication scheme based on reserved port num-
bers.
Note that only root can bind to reserved ports.
On other OSes (Solaris, AIX), trying to call rcmd() without being root simply
fails.
FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which
is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled.
Why?
My understanding is, this is to make it harder for would-be attackers to
attack machines with .rhosts-based security. But that is nothing more than a
bad band-aid anyway -- attacker's own implementation of rcmd() (without the
geteuid() checks) is trivial...
But an attacker who doesn't have root won't be able to use their own
implementation of rcmd(). It will just fail. Either the attacker will ask to
bind to a privileged port (which will fail at the local host), or they will
bind to a non-privileged port (in which case the remote host will reject the
request)
rsh is a setuid root binary. It is able to bind to privileged ports, whilst
performing security checks that the requested access is valid. In the same
way, the 'passwd' command lets you change your own password, without letting
you change someone else's.
So, without providing any meaningful security improvement (who is relying
on .rhosts for security anyway?!), we are impeding a very useful
functionality.
No security improvement is implied. Rather, you just get extra
functionality. Instead of a dead failure, certain non-root requests are
allowed (i.e. user A on host X can run commands as user A on host Y)
rcmd offers an efficient way to send your data to a command "abroad" and even
has a mechanism for getting the remote's stderr -- assuming, your network is
secure enough for you to trust .rhosts.
And the requesting user is running as root, so they can bind to a privileged
port.
Why are we duplicating the misguided efforts of commercial Unixes and limiting
it to root only?
Because this is exactly how the .rhosts security model works - it accepts
requests only from privileged ports, which in turn means that it knows the
request only came from root.
This mechanism is only valid for trusted hosts, of course. If you allow a
random person to put their own PC on the network, they can of course send
packets from privileged ports (either by installing Unix with their own root
password, or by installing DOS and sending packets which come from
privileged ports)
HTH,
Brian.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: strange limitation on rcmd()
- From: Iang
- Re: strange limitation on rcmd()
- References:
- strange limitation on rcmd()
- From: Mikhail Teterin
- strange limitation on rcmd()
- Prev by Date: Poll for users: mac_partition and mac_ifoff policies
- Next by Date: Re: strange limitation on rcmd()
- Previous by thread: strange limitation on rcmd()
- Next by thread: Re: strange limitation on rcmd()
- Index(es):
Relevant Pages
|
|
