Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Jul 2006 22:39:32 +0100
From:      Brian Candler <B.Candler@pobox.com>
To:        Mikhail Teterin <mi+mx@aldan.algebra.com>
Cc:        freebsd-security@freebsd.org, imp@freebsd.org, net@freebsd.org
Subject:   Re: strange limitation on rcmd()
Message-ID:  <20060708213932.GA41178@uk.tiscali.com>
In-Reply-To: <200607072030.01999.mi%2Bmx@aldan.algebra.com>
References:  <200607072030.01999.mi%2Bmx@aldan.algebra.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 07, 2006 at 08:30:01PM -0400, Mikhail Teterin wrote:
> The manual page says, that rcmd() is only to be used by root's processes.

DESCRIPTION
     The rcmd() function is used by the super-user to execute a command on a
     remote machine using an authentication scheme based on reserved port num-
     bers.

Note that only root can bind to reserved ports.

> On other OSes (Solaris, AIX), trying to call rcmd() without being root simply 
> fails.
> 
> FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which 
> is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled.
> 
> Why?
> 
> My understanding is, this is to make it harder for would-be attackers to 
> attack machines with .rhosts-based security. But that is nothing more than a 
> bad band-aid anyway -- attacker's own implementation of rcmd() (without the 
> geteuid() checks) is trivial...

But an attacker who doesn't have root won't be able to use their own
implementation of rcmd(). It will just fail. Either the attacker will ask to
bind to a privileged port (which will fail at the local host), or they will
bind to a non-privileged port (in which case the remote host will reject the
request)

rsh is a setuid root binary. It is able to bind to privileged ports, whilst
performing security checks that the requested access is valid. In the same
way, the 'passwd' command lets you change your own password, without letting
you change someone else's.

> So, without providing any meaningful security improvement (who is relying 
> on .rhosts for security anyway?!), we are impeding a very useful 
> functionality.

No security improvement is implied. Rather, you just get extra
functionality. Instead of a dead failure, certain non-root requests are
allowed (i.e. user A on host X can run commands as user A on host Y)

> rcmd offers an efficient way to send your data to a command "abroad" and even 
> has a mechanism for getting the remote's stderr -- assuming, your network is 
> secure enough for you to trust .rhosts.

And the requesting user is running as root, so they can bind to a privileged
port.

> Why are we duplicating the misguided efforts of commercial Unixes and limiting 
> it to root only?

Because this is exactly how the .rhosts security model works - it accepts
requests only from privileged ports, which in turn means that it knows the
request only came from root.

This mechanism is only valid for trusted hosts, of course. If you allow a
random person to put their own PC on the network, they can of course send
packets from privileged ports (either by installing Unix with their own root
password, or by installing DOS and sending packets which come from
privileged ports)

HTH,

Brian.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060708213932.GA41178>