KTH announced a weakness in their implementation of KerberosIV.

FreeBSD was not vulnerable, but their fix had some useful features.
Incorporate the best of those - rcp(1) no longer needs to be SUID
to root.

3 files changed, 30 insertions, 15 deletions

diff --git a/bin/rcp/Makefile b/bin/rcp/Makefile
index c82eccf..df53707 100644
--- a/bin/rcp/Makefile
+++ b/bin/rcp/Makefile
@@ -1,5 +1,5 @@
 #	@(#)Makefile	8.1 (Berkeley) 7/19/93
-#	$Id: Makefile,v 1.7 1997/02/22 14:05:18 peter Exp $
+#	$Id$
 
 PROG=	rcp
 SRCS=	rcp.c util.c
@@ -18,8 +18,8 @@ DISTRIBUTION=	krb
 .PATH:	${.CURDIR}/../../crypto/kerberosIV/appl/bsd
 .endif
 
-BINOWN=	root
-BINMODE=4555
-INSTALLFLAGS=-fschg
+#BINOWN=	root
+#BINMODE=4555
+#INSTALLFLAGS=-fschg
 
 .include <bsd.prog.mk>
diff --git a/bin/rcp/pathnames.h b/bin/rcp/pathnames.h
index 39158f0..556043e 100644
--- a/bin/rcp/pathnames.h
+++ b/bin/rcp/pathnames.h
@@ -37,4 +37,6 @@
 #include <paths.h>
 
 #define	_PATH_CP	"/bin/cp"
+#define	_PATH_RCP	"/bin/rcp"
+#define	_PATH_RLOGIN	"/usr/bin/rlogin"
 #define	_PATH_RSH	"/usr/bin/rsh"
diff --git a/bin/rcp/rcp.c b/bin/rcp/rcp.c
index 84a018a..ec40f1c 100644
--- a/bin/rcp/rcp.c
+++ b/bin/rcp/rcp.c
@@ -30,7 +30,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id: rcp.c,v 1.16 1997/12/07 20:49:39 wosch Exp $
+ *	$Id$
  */
 
 #ifndef lint
@@ -72,8 +72,6 @@ static char const sccsid[] = "@(#)rcp.c	8.2 (Berkeley) 4/2/94";
 #include <des.h>
 #include <krb.h>
 
-/* #include "../../usr.bin/rlogin/krb.h" */
-
 char	dst_realm_buf[REALM_SZ];
 char	*dest_realm = NULL;
 int	use_kerberos = 1;
@@ -96,6 +94,9 @@ uid_t	userid;
 int errs, rem;
 int pflag, iamremote, iamrecursive, targetshouldbedirectory;
 
+static int argc_copy;
+static char **argv_copy;
+
 #define	CMDNEEDS	64
 char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
 
@@ -119,6 +120,24 @@ main(argc, argv)
 	struct servent *sp;
 	int ch, fflag, tflag;
 	char *targ, *shell;
+	int i;
+
+	/*
+	 * Prepare for execing ourselves.
+	 */
+
+	argc_copy = argc + 1;
+	argv_copy = malloc((argc_copy + 1) * sizeof(*argv_copy));
+	if (argv_copy == NULL)
+		err(1, "malloc");
+	argv_copy[0] = argv[0];
+	argv_copy[1] = "-K";
+	for(i = 1; i < argc; ++i) {
+		argv_copy[i + 1] = strdup(argv[i]);
+		if (argv_copy[i + 1] == NULL)
+			errx(1, "strdup: out of memory");
+	}
+	argv_copy[argc + 1] = NULL;
 
 	fflag = tflag = 0;
 	while ((ch = getopt(argc, argv, OPTIONS)) != -1)
@@ -774,10 +793,8 @@ int
 kerberos(host, bp, locuser, user)
 	char **host, *bp, *locuser, *user;
 {
-	struct servent *sp;
-
-again:
 	if (use_kerberos) {
+		setuid(getuid());
 		rem = KSUCCESS;
 		errno = 0;
 		if (dest_realm == NULL)
@@ -791,15 +808,11 @@ again:
 			krcmd(host, port, user, bp, 0, dest_realm);
 
 		if (rem < 0) {
-			use_kerberos = 0;
-			if ((sp = getservbyname("shell", "tcp")) == NULL)
-				errx(1, "unknown service shell/tcp");
 			if (errno == ECONNREFUSED)
 			    oldw("remote host doesn't support Kerberos");
 			else if (errno == ENOENT)
 			    oldw("can't provide Kerberos authentication data");
-			port = sp->s_port;
-			goto again;
+			execv(_PATH_RCP, argv_copy);
 		}
 	} else {
 #ifdef CRYPT