[Prev][Next][Index]
BoS: Re: WARNING: libc/ruserok security hole
>Date: Tue, 23 Apr 1996 03:19:16 -0700 (MST)
>From: Jeff Coy Jr. <jcoy@jcoy-ppp.cscwc.pima.edu>
>To: Greg Spiegelberg <gs0@s1.GANet.NET>
>Cc: j@pobox.com, linux-security@tarsier.cv.nrao.edu,
> best-of-security@suburbia.net, linux-gcc@vger.rutgers.edu,
> nclug@vis.colostate.edu
>Subject: BoS: Re: WARNING: libc/ruserok security hole
>
>On Mon, 22 Apr 1996, Greg Spiegelberg wrote:
>
>> Jeff Coy Jr. said, and I indent...
>> --
>> --On Sun, 21 Apr 1996, Joel Maslak wrote:
>> --
>> -->
>> --> libc 5.3.9 has a major security bug in it. It affects rlogin/rsh.
>> -->
>> --> Scope: If your system uses rlogin/rsh, local and remote users may
>> --> rsh/rlogin to an arbitrary account on your system.
>> -->
>> --> Fix:
>> --> Method (1): downgrade libc. I know 5.0.9 is secure.
>> --> Method (2): add user name specifications to all .rhosts files.
>> -->
>> --> I.E.: .rhosts:
>> --> plains.uwyo.edu jmaslak
>> -->
>> --> NOT:
>> --> plains.uwyo.edu
>> -->
>> --
>> --um... this might not be enough. i was able to rlogin to every other
>> --account on my machine (except root) with:
>> --
>> -- rlogin localhost -l <username>
>> --
>> --even when i put in the user name specification. it didn't matter if
>> --there was a .rhosts file there or not. taking "localhost" out of
>> --/etc/hosts.equiv fixed that tho. and some (most?) distributions come
>> --with localhost in there...
>>
>> Ugly. Just ugly. :(
>>
>> There is a 4th method to block this but it would be more for the home,
>> single user machines connected to the net: tcp_wrappers.
>>
>
>i backed off libc to v5.2.18 for all my linux machines that are networked,
>but as someone posted (forgive me for not remembering your name- you are
>very appreciated), recompiling libc without -DYP seems to patch things
>fine.
>
>i'm not able to lock everyone out of the machines, and i don't want to
>back off libc on my ppp box. i feel the above patch will suffice for my
>ppp machine until there is an official fix.
>
>maybe HJ should replace libc-5.3.9.bin.tar.gz with one that isn't
>configured with -DYP & stick it in .../GCC- i havn't verified that this
>will work with 5.3.9, but it seems to be fine with 5.3.11.
>
>jeff
>---
>Why Linux? source code. POSIX. tcpip. job control. support from the authors.
>drivers for most hardware. because one terminal or process is never enough.
> forget the other O/Ss, i use Linux- the choice of a GNU generation.
>
Ron Cohen, Tel-Aviv University Computation Center
Office 03-6407043, Home 09-663590
E-mail: rony@post.tau.ac.il, rony@rony.ac.il
Fax: (972) 3-6409118