[2947] in bugtraq
Re: rdist exploit [bsdi]
daemon@ATHENA.MIT.EDU (Chris Siebenmann)
Tue Jul 16 18:51:07 1996
Date: Tue, 16 Jul 1996 18:09:52 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Chris Siebenmann <cks@hawkwind.utcs.toronto.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: caseq's message of Sun, 14 Jul 1996 06:41:44 -0400.
<9607141041.AA03946@sharks>
The real way to fix this hole in rdist is to run a version of rdist
that is not setuid root. Patching the source and leaving rdist setuid
root is just a bandaid until the next exploit is found.
The only reason rdist is setuid root is so it can use rcmd(); it is
easy to write a replacement for rcmd() that forks rsh. I did this and
announced it back in November of 1991, when the first rdist security
hole was announced, and you can get the code from ftp.sys.utoronto.ca
as /pub/rdist.tar.gz. Versions of rdist 6 have come non-setuid for some
time, after John DiMarco took my change and integrated it.
I find rdist's continuing setuid state (and the resulting security
exposures that turn up) a stunning testimony to just how much vendors
really care about Unix security.
--
"there used to be two moons
then one of them
discovered coffee." - Curtis Yarvin
cks@hawkwind.utcs.toronto.edu ...!{utgpu,utzoo,watmath}!utgpu!cks
