[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-security] do_rlogin problem



In case you didn't read it in linux-security (although most of you will
have).  Mr. Doty, since you published this in a public forum, I trust
you don't mind.

> From: Scott Doty <scott@sonic.net>
> Subject: [linux-security] do_rlogin problem
> 
> In NetKit-B-0.08, rlogin.c,
> do_rlogin() is called with hp->h_name, a static value returned
> by the resolver.  This value is intended to authenticate the
> remote host.
> 
> do_rlogin() calls getpwnam() before using hp->h_name for
> authentication.  If getpwnam() uses the resolver,
> there may be undesirable side effects that change the
> remote host name.
> 
> In our environment, we have observed these side effects.  Against
>   char rcsid[] =
>       "$Id: rlogind.c,v 1.13 1996/07/26 05:08:18 dholland Exp $";
> we use the following patch:
> 
> *** rlogind.c.dist	Fri Aug 16 15:28:31 1996
> --- rlogind.c	Sat Sep 21 01:24:54 1996
> ***************
> *** 272,279 ****
>   	        }
>   	    }
>   #endif
> ! 	    if (do_rlogin(hp->h_name) == 0 && hostok)
> ! 		    authenticated++;
>   	}
>   	if (confirmed == 0) {
>   		write(f, "", 1);
> --- 272,281 ----
>   	        }
>   	    }
>   #endif
> ! 	strncpy(remotehost, hp->h_name, sizeof(remotehost)-1);
> ! 	remotehost[sizeof(remotehost) - 1] = 0;
> ! 	if (do_rlogin(remotehost) == 0 && hostok)
> ! 		authenticated++;
>   	}
>   	if (confirmed == 0) {
>   		write(f, "", 1);
> ***************
> *** 301,307 ****
>                          pam_end(pamh, PAM_SUCCESS);
>   #endif
>   		       execl(_PATH_LOGIN, "login", "-p",
> ! 			     "-h", hp->h_name, "-f", lusername, 0);
>                          /* should not return... */
>   		} 
>   		else {
> --- 303,309 ----
>                          pam_end(pamh, PAM_SUCCESS);
>   #endif
>   		       execl(_PATH_LOGIN, "login", "-p",
> ! 			     "-h", remotehost, "-f", lusername, 0);
>                          /* should not return... */
>   		} 
>   		else {
> ***************
> *** 313,319 ****
>   			pam_end(pamh, PAM_SUCCESS);
>   #endif
>   			execl(_PATH_LOGIN, "login", "-p",
> ! 			      "-h", hp->h_name, lusername, 0);
>   			/* should not return... */
>   		}
>   		fatal(STDERR_FILENO, _PATH_LOGIN, 1);
> --- 315,321 ----
>   			pam_end(pamh, PAM_SUCCESS);
>   #endif
>   			execl(_PATH_LOGIN, "login", "-p",
> ! 			      "-h", remotehost, lusername, 0);
>   			/* should not return... */
>   		}
>   		fatal(STDERR_FILENO, _PATH_LOGIN, 1);
> 
>  -Scott Doty <scott@sonic.net>

Joe Yao				jsdy@cais.com - Joseph S. D. Yao


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []