[1800] in Kerberos
Re: Do the r-commands need to be setuid?
daemon@ATHENA.MIT.EDU (raeburn@cygnus.com)
Thu Mar 5 21:57:56 1992
Date: Thu, 5 Mar 92 20:59:26 EST
From: raeburn@cygnus.com
To: kerberos@Athena.MIT.EDU
In-Reply-To: <9203052329.AA19509@shadow.secure.bellcore.com> (message from Steve Lunt on Thu, 5 Mar 92 18:29:03 EST)
Date: Thu, 5 Mar 92 18:29:03 EST
From: Steve Lunt <lunt@ctt.bellcore.com>
It took quite a lot of debugging to figure out that the error
is due to the fact that, when performing mutual authentication (on
the server side), rcp needs to read /etc/srvtab. The rcp client side
connects to the kshd on the server side, which then exec's the rcp
command, only after kshd has set the uid of the process to the user's
uid. Ir rcp is not setuid on the server side, it will not be able to
read srvtab.
I ran into this recently when working up an encrypted-stream library
(compatible with rlogin and rcp) to be added to the Kerberos support
package that Cygnus Support is offering.
Debugging it was kind of painful. Additional logging from the program
or library would have been very helpful.
You would think that rsh/rshd would be utilized by rcp, and
you would also think that rsh would have a -x option (allowing rcp to
use it as well).
Yes, you would... and in fact, encrypted rsh is on the list of things
we are planning to add to our package.
Ken
