[28] in bugtraq
Re: r commands
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Tue Oct 18 16:19:11 1994
Date: Tue, 18 Oct 94 10:15:46 -0700
From: Dennis Glatting <dennisg@sickly.cybersafe.com>
To: bugtraq@crimelab.com
Reply-To: dennis.glatting@ocsg.com
> Well guess i'll just pitch in my two cents in. If you dont
> allow users to set up their own .rhosts files, or you
> dissable them compleately. Then you loose what makes the
> r commands so wanted by people.... transparency. They
> like them because they dont have to type a user name and
> passwd to log into other machines. Now if this dissapears
> then rlogin is a beefed up telnet. Therefore you must a)
> Allow you users to use them and simply drop all incoming
> packets to any ports where the r deamons hang at the
> router. or b) dont allow them at all.
>
> In a university setting a) is probably fine while a
> bussiness would probably go with b).
>
I remember an article where Bill Joy said "the r utilities were just
a hack until the telent and ftp protocols are formalized". The
article continued "they escaped from the lab."
As a system administrator I can tell you the r utilities are a major
source of security holes, particularly the .rhosts file. As I
developer, I can tell you the r utility source and cross platform
issues suck.
If you got'm, don't smoke'm.
-dpg