Bug 49181
| Summary: | rexec lets anyone inpersonate anyone with a .rhosts file | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | leonb |
| Component: | rsh | Assignee: | Phil Knirsch <pknirsch> |
| Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.1 | CC: | rvokal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2001-07-20 17:36:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Ok, removed the line. Fix should appear in rawhide soon. Read ya, Phil |
Description of Problem: /etc/pam.d/rexec specifies auth sufficient /lib/security/pam_rhosts_auth.so This allows rhosts authentication like rsh. But, unlike the rsh daemon, the rexec daemon does not require that the tcp connection originates from a privileged port and therefore that the remote username is provided by a trusted application. Any user can replicate the rexec protocol and specify arbitrary remote username. This username will then be considered for rhost authentication. Steps to Reproduce: 1. Enable rexec service 2. Setup user joe on machine foo and bar 3. On bar, insert foo in joe's .rhosts file 4. Log as guest user on foo 5. Connect to rexec service on bar using an unprivileged port number. 6. Execute rexec protocol specifying joe as local and remote user name to joe. Any password will do. Command is "rm *". 7. PAM performs rhost authentication for joe and accepts the connection. 8. Joe's files on bar are detroyed Fix: Remove the offending line in /etc/pam.d/rexec. Traditional rexec does not honor rhost authentication anyway. Rhost authentication should only be used when the remote user name can be trusted. Meaning that : 1) the remote machine is trusted (the user should not specify untrusted machines in .rhost) 2) the protocol was executed by a trusted program (i.e. by a hopefully secure setuid program that is allowed to open privileged sockets) Neither rsh nor rlogin nor rexec are very secure to start with (monitoring ip traffic reveals clear text passwords, fake ip packets can pass as privileged packers, etc.) But rhost authentication in rexec makes it a lot weaker, because the attacker does not even need local root privileges.