r command security
From: Sherman H. (shung1099_at_earthlink.net)
Date: 11/23/03
- Next message: Casper H.S. ***: "Re: Hardening a Solaris system."
- Previous message: Casper H.S. ***: "Re: Hardening a Solaris system."
- Next in thread: Dimitri Maziuk: "Re: r command security"
- Reply: Dimitri Maziuk: "Re: r command security"
- Reply: Colin McKinnon: "Re: r command security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 23 Nov 2003 18:15:23 GMT
I am working on a project and recommending removal of r-commands. However,
a few questions were brought up during my presentation.
My write-up was to clean up trust relationships in the rhost.equiv file and
stop using of r commands. Instead, I recommended using ssh. However, the
system administrators didn't buy into this because they have to use these
features to work on different AIX machines and request me to further
justify.
Their questions were:
1. If the boundary (firewall, ports) is secure, is this still a security
exposure?
2. Can a non-root user use the r commands with a trust relationship to
access other machines and gain root privileges? Since root is only assigned
to very few admins, would this be a problem?
3. What would be the exposures if allowing root or program ids to access
other machines without entering a password? If a trust relationship is
approved, what would be the issue?
4. They did not know how to use ssh to replace r commands.
I would like proceed this case further and justify their comments. Did what
they said make sense?
Thanks.
- Next message: Casper H.S. ***: "Re: Hardening a Solaris system."
- Previous message: Casper H.S. ***: "Re: Hardening a Solaris system."
- Next in thread: Dimitri Maziuk: "Re: r command security"
- Reply: Dimitri Maziuk: "Re: r command security"
- Reply: Colin McKinnon: "Re: r command security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
