[880] in linux-security and linux-alert archive
Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Security Team]
daemon@ATHENA.MIT.EDU (Peter Tobias)
Thu Jul 4 16:00:46 1996
To: juphoff@tarsier.cv.nrao.edu (Jeff Uphoff)
Date: Thu, 4 Jul 1996 16:40:51 +0200 (MET DST)
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Cc: linux-security@tarsier.cv.nrao.edu
Reply-To: tobias@et-inf.fho-emden.de
In-Reply-To: <199607032330.TAA30525@tarsier.cv.nrao.edu> from "Jeff Uphoff" at Jul 3, 96 07:30:06 pm
Jeff Uphoff wrote:
> Red Hat 3.0.3 and Slackware 3.0 (the only distributions I've checked so
> far) appear safe: by default, they do not install rdist setuid--though
> the version that comes with them (rdist-6.1.0) would be vulnerable if
> made setuid (by hand) after installation, for whatever strange reason.
> (I've inspected the code, and the unchecked buffer is rather obvious.)
>
> Note that there is no need to install rdist setuid if it is compiled to
> use rsh vice rcmd(); rsh is the (safe) default, and is the compilation
> method used by both Red Hat and Slackware.
>
> Anyone care to take a look at other Linux distributions to check for
> default installations that are configured for setuid/rcmd()?
The Debian distribution does not install rdist setuid.
Thanks,
Peter
--
Peter Tobias EMail:
Fachhochschule Ostfriesland tobias@et-inf.fho-emden.de
Fachbereich Elektrotechnik und Informatik tobias@debian.org
Constantiaplatz 4, 26723 Emden, Germany tobias@linux.de