strange limitation on rcmd()
Mikhail Teterin
mi+mx at aldan.algebra.com
Sat Jul 8 00:30:19 UTC 2006
The manual page says, that rcmd() is only to be used by root's processes.
On other OSes (Solaris, AIX), trying to call rcmd() without being root simply
fails.
FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which
is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled.
Why?
My understanding is, this is to make it harder for would-be attackers to
attack machines with .rhosts-based security. But that is nothing more than a
bad band-aid anyway -- attacker's own implementation of rcmd() (without the
geteuid() checks) is trivial...
So, without providing any meaningful security improvement (who is relying
on .rhosts for security anyway?!), we are impeding a very useful
functionality.
rcmd offers an efficient way to send your data to a command "abroad" and even
has a mechanism for getting the remote's stderr -- assuming, your network is
secure enough for you to trust .rhosts.
Why are we duplicating the misguided efforts of commercial Unixes and limiting
it to root only? "Mechanism, not policy", please...
-mi
More information about the freebsd-net
mailing list