From owner-freebsd-net@FreeBSD.ORG Sat Jul 8 00:30:19 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255C916A4E1; Sat, 8 Jul 2006 00:30:19 +0000 (UTC) (envelope-from mi+mx@aldan.algebra.com) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0024943D4C; Sat, 8 Jul 2006 00:30:14 +0000 (GMT) (envelope-from mi+mx@aldan.algebra.com) Received: from corbulon.video-collage.com (static-151-204-231-237.bos.east.verizon.net [151.204.231.237]) by aldan.algebra.com (8.13.6/8.13.6) with ESMTP id k680UD52000871 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 7 Jul 2006 20:30:14 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) Received: from [172.21.130.86] (mx-broadway [38.98.68.18]) by corbulon.video-collage.com (8.13.6/8.13.6) with ESMTP id k680U7MK038308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Jul 2006 20:30:08 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) From: Mikhail Teterin Organization: Virtual Estates, Inc. To: net@freebsd.org Date: Fri, 7 Jul 2006 20:30:01 -0400 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607072030.01999.mi+mx@aldan.algebra.com> X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 10:37:51 2006 on corbulon.video-collage.com X-Virus-Status: Clean X-Scanned-By: MIMEDefang 2.43 Cc: freebsd-security@freebsd.org, imp@freebsd.org Subject: strange limitation on rcmd() X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 00:30:19 -0000 The manual page says, that rcmd() is only to be used by root's processes. On other OSes (Solaris, AIX), trying to call rcmd() without being root simply fails. FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled. Why? My understanding is, this is to make it harder for would-be attackers to attack machines with .rhosts-based security. But that is nothing more than a bad band-aid anyway -- attacker's own implementation of rcmd() (without the geteuid() checks) is trivial... So, without providing any meaningful security improvement (who is relying on .rhosts for security anyway?!), we are impeding a very useful functionality. rcmd offers an efficient way to send your data to a command "abroad" and even has a mechanism for getting the remote's stderr -- assuming, your network is secure enough for you to trust .rhosts. Why are we duplicating the misguided efforts of commercial Unixes and limiting it to root only? "Mechanism, not policy", please... -mi