[1279] in linux-security and linux-alert archive
[linux-security] do_rlogin problem
daemon@ATHENA.MIT.EDU (Scott Doty)
Thu Oct 31 02:38:38 1996
From: Scott Doty <scott@sonic.net>
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 30 Oct 1996 06:40:09 -0800 (PST)
In NetKit-B-0.08, rlogin.c,
do_rlogin() is called with hp->h_name, a static value returned
by the resolver. This value is intended to authenticate the
remote host.
do_rlogin() calls getpwnam() before using hp->h_name for
authentication. If getpwnam() uses the resolver,
there may be undesirable side effects that change the
remote host name.
In our environment, we have observed these side effects. Against
char rcsid[] =
"$Id: rlogind.c,v 1.13 1996/07/26 05:08:18 dholland Exp $";
we use the following patch:
*** rlogind.c.dist Fri Aug 16 15:28:31 1996
--- rlogind.c Sat Sep 21 01:24:54 1996
***************
*** 272,279 ****
}
}
#endif
! if (do_rlogin(hp->h_name) == 0 && hostok)
! authenticated++;
}
if (confirmed == 0) {
write(f, "", 1);
--- 272,281 ----
}
}
#endif
! strncpy(remotehost, hp->h_name, sizeof(remotehost)-1);
! remotehost[sizeof(remotehost) - 1] = 0;
! if (do_rlogin(remotehost) == 0 && hostok)
! authenticated++;
}
if (confirmed == 0) {
write(f, "", 1);
***************
*** 301,307 ****
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
! "-h", hp->h_name, "-f", lusername, 0);
/* should not return... */
}
else {
--- 303,309 ----
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
! "-h", remotehost, "-f", lusername, 0);
/* should not return... */
}
else {
***************
*** 313,319 ****
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
! "-h", hp->h_name, lusername, 0);
/* should not return... */
}
fatal(STDERR_FILENO, _PATH_LOGIN, 1);
--- 315,321 ----
pam_end(pamh, PAM_SUCCESS);
#endif
execl(_PATH_LOGIN, "login", "-p",
! "-h", remotehost, lusername, 0);
/* should not return... */
}
fatal(STDERR_FILENO, _PATH_LOGIN, 1);
-Scott Doty <scott@sonic.net>