[1797] in Kerberos
Re: Do the r-commands need to be setuid?
daemon@ATHENA.MIT.EDU (Steve Lunt)
Thu Mar 5 19:12:54 1992
Date: Thu, 5 Mar 92 18:29:03 EST
From: Steve Lunt <lunt@ctt.bellcore.com>
To: jtkohl@cs.berkeley.edu
Cc: kerberos@Athena.MIT.EDU
John,
It turns out that rcp in particular does need to be setuid.
rcp worked fine without the setuid bit on, but whenever I
tried "rcp -x", it failed with the following error:
krb_sendauth mutual fail: Generic kerberos error (kfailure)
It took quite a lot of debugging to figure out that the error
is due to the fact that, when performing mutual authentication (on
the server side), rcp needs to read /etc/srvtab. The rcp client side
connects to the kshd on the server side, which then exec's the rcp
command, only after kshd has set the uid of the process to the user's
uid. Ir rcp is not setuid on the server side, it will not be able to
read srvtab.
You would think that rsh/rshd would be utilized by rcp, and
you would also think that rsh would have a -x option (allowing rcp to
use it as well).
-- Steve
Steven J. Lunt | lunt@bellcore.com | RRC 1L-213
Information Technology Security |---------------------| 444 Hoes Lane
Bellcore | (908) 699-4244 | Piscataway, NJ 08854
----- Begin Included Message -----
Date: Thu, 9 Jan 92 14:43:20 PST
To: Steve Lunt <lunt@ctt.bellcore.com>
Cc: kerberos@athena.mit.edu
In-Reply-To: [1703]
Subject: Re: Do the r-commands need to be setuid?
From: John T Kohl <jtkohl@cs.berkeley.edu>
Sender: jtkohl@echidna.berkeley.edu
Reply-To: jtkohl@cs.berkeley.edu
> Date: Thu, 9 Jan 92 16:37:09 EST
> From: Steve Lunt <lunt@ctt.bellcore.com>
>
> I inadvertantly installed the Kerberos rlogin, rsh, and rcp
> commands without the setuid bit on, but they seem to work just fine.
> Is there a need for them to be setuid?
Not really. Ancient kshd/klogind's would have insisted on the origin
port being a reserved port, but anything outside MIT needn't worry about
that (I believe if you inspect the code, the client side will bind to a
UNIX "reserved port" if you compile -DATHENA or -DATHENA_COMPAT)
John
----- End Included Message -----
