diff options
author | pst <pst@FreeBSD.org> | 1996-11-22 08:59:07 +0000 |
---|---|---|
committer | pst <pst@FreeBSD.org> | 1996-11-22 08:59:07 +0000 |
commit | f802c9787d3218fbc623bb2a74f3c5c430094dfb (patch) | |
tree | e65ab53e32993fd712bc0e7f930d9ff6916114c6 | |
parent | a8c2478d1d280d99d12fc655de3f105d17d8da42 (diff) | |
download | FreeBSD-src-f802c9787d3218fbc623bb2a74f3c5c430094dfb.zip FreeBSD-src-f802c9787d3218fbc623bb2a74f3c5c430094dfb.tar.gz |
Back out recent security patch for rexecd. After more careful analysis,
it is both uneeded and breaks certain lock-step timing in the rexec
protocol.
Yes, an attacker can "relay" connections using this trick, but a properly
configured firewall that would make this sort of subterfuge necessary in the
first place (instead of direct packet spoofing) would also thwart useful
attacks based on this.
-rw-r--r-- | libexec/rexecd/rexecd.8 | 7 | ||||
-rw-r--r-- | libexec/rexecd/rexecd.c | 36 |
2 files changed, 15 insertions, 28 deletions
diff --git a/libexec/rexecd/rexecd.8 b/libexec/rexecd/rexecd.8 index 5103465..babaf89 100644 --- a/libexec/rexecd/rexecd.8 +++ b/libexec/rexecd/rexecd.8 @@ -99,11 +99,8 @@ by .El .Sh CAVEATS .Nm Rexecd -will no longer allow root logins, -access for users listed in /etc/ftpusers, -access for users with no passwords, -or reverse connections to privileged ports, -which were all serious security holes. +will no longer allow root logins, access for users listed in /etc/ftpusers, +or access for users with no passwords, which were all serious security holes. The entire concept of rexec/rexecd is a major security hole and an example of how not to do things. .Nm Rexecd diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c index 2905129..23ffd0a 100644 --- a/libexec/rexecd/rexecd.c +++ b/libexec/rexecd/rexecd.c @@ -153,6 +153,18 @@ doit(f, fromp) port = port * 10 + c - '0'; } (void) alarm(0); + if (port != 0) { + s = socket(AF_INET, SOCK_STREAM, 0); + if (s < 0) + exit(1); + if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) + exit(1); + (void) alarm(60); + fromp->sin_port = htons(port); + if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) + exit(1); + (void) alarm(0); + } getstr(user, sizeof(user), "username"); getstr(pass, sizeof(pass), "password"); getstr(cmdbuf, sizeof(cmdbuf), "command"); @@ -205,30 +217,8 @@ doit(f, fromp) error("No remote directory.\n"); exit(1); } - - if (port != 0) { - if (port < IPPORT_RESERVED) { - syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d " - "client requested privileged port", - user, remote, port); - error("Privileged port requested for stderr info.\n"); - exit(1); - } - s = socket(AF_INET, SOCK_STREAM, 0); - if (s < 0) - exit(1); - if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) - exit(1); - (void) alarm(60); - fromp->sin_port = htons(port); - if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) - exit(1); - (void) alarm(0); - } - (void) write(2, "\0", 1); - - if (port != 0) { + if (port) { (void) pipe(pv); pid = fork(); if (pid == -1) { |