[1279] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] do_rlogin problem

daemon@ATHENA.MIT.EDU (Scott Doty)
Thu Oct 31 02:38:38 1996

From: Scott Doty <scott@sonic.net>
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 30 Oct 1996 06:40:09 -0800 (PST)

In NetKit-B-0.08, rlogin.c,
do_rlogin() is called with hp->h_name, a static value returned
by the resolver.  This value is intended to authenticate the
remote host.

do_rlogin() calls getpwnam() before using hp->h_name for
authentication.  If getpwnam() uses the resolver,
there may be undesirable side effects that change the
remote host name.

In our environment, we have observed these side effects.  Against
  char rcsid[] =
      "$Id: rlogind.c,v 1.13 1996/07/26 05:08:18 dholland Exp $";
we use the following patch:

*** rlogind.c.dist	Fri Aug 16 15:28:31 1996
--- rlogind.c	Sat Sep 21 01:24:54 1996
***************
*** 272,279 ****
  	        }
  	    }
  #endif
! 	    if (do_rlogin(hp->h_name) == 0 && hostok)
! 		    authenticated++;
  	}
  	if (confirmed == 0) {
  		write(f, "", 1);
--- 272,281 ----
  	        }
  	    }
  #endif
! 	strncpy(remotehost, hp->h_name, sizeof(remotehost)-1);
! 	remotehost[sizeof(remotehost) - 1] = 0;
! 	if (do_rlogin(remotehost) == 0 && hostok)
! 		authenticated++;
  	}
  	if (confirmed == 0) {
  		write(f, "", 1);
***************
*** 301,307 ****
                         pam_end(pamh, PAM_SUCCESS);
  #endif
  		       execl(_PATH_LOGIN, "login", "-p",
! 			     "-h", hp->h_name, "-f", lusername, 0);
                         /* should not return... */
  		} 
  		else {
--- 303,309 ----
                         pam_end(pamh, PAM_SUCCESS);
  #endif
  		       execl(_PATH_LOGIN, "login", "-p",
! 			     "-h", remotehost, "-f", lusername, 0);
                         /* should not return... */
  		} 
  		else {
***************
*** 313,319 ****
  			pam_end(pamh, PAM_SUCCESS);
  #endif
  			execl(_PATH_LOGIN, "login", "-p",
! 			      "-h", hp->h_name, lusername, 0);
  			/* should not return... */
  		}
  		fatal(STDERR_FILENO, _PATH_LOGIN, 1);
--- 315,321 ----
  			pam_end(pamh, PAM_SUCCESS);
  #endif
  			execl(_PATH_LOGIN, "login", "-p",
! 			      "-h", remotehost, lusername, 0);
  			/* should not return... */
  		}
  		fatal(STDERR_FILENO, _PATH_LOGIN, 1);

 -Scott Doty <scott@sonic.net>

home help back first fref pref prev next nref lref last post