From owner-freebsd-hackers Fri May 12 8:10:47 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by hub.freebsd.org (Postfix) with ESMTP id 1D38637BDDD for ; Fri, 12 May 2000 08:10:45 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Fri, 12 May 2000 16:10:33 +0100 Received: from localhost (cmjg@localhost) by mail.ilrt.bris.ac.uk (8.8.7/8.8.8) with ESMTP id QAA04749; Fri, 12 May 2000 16:10:27 +0100 (BST) Date: Fri, 12 May 2000 16:10:27 +0100 (BST) From: Jan Grant To: Nick Sayer Cc: hackers@freebsd.org Subject: Re: rexec as root In-Reply-To: <391C12B5.E5A2DCD3@quack.kfu.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 12 May 2000, Nick Sayer wrote: > I would like to gather some opinions in regards to _very slightly_ > backing off > on rexec's security. Don't do it? > rexec makes the following checks... [ uid==0, password blank, uname in /etc/ftpusers ] > I put it to everyone that the first and third checks are equivalent and What you say is correct, but personally I think deprecated really should mean deprecated. There are better alternatives to rexec (ssh - open or otherwise) and they ought to be pushed. If admins _really_ want this functionality, patching the source isn't so much of a hardship. But it makes the path f least resistance the installation of a better alternative :-) jan -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287163 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk Spreadsheet through network. Oh yeah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message