diff options
| author | pst <pst@FreeBSD.org> | 1996-11-22 08:59:07 +0000 |
|---|---|---|
| committer | pst <pst@FreeBSD.org> | 1996-11-22 08:59:07 +0000 |
| commit | f802c9787d3218fbc623bb2a74f3c5c430094dfb (patch) | |
| tree | e65ab53e32993fd712bc0e7f930d9ff6916114c6 /libexec/rexecd | |
| parent | a8c2478d1d280d99d12fc655de3f105d17d8da42 (diff) | |
| download | FreeBSD-src-f802c9787d3218fbc623bb2a74f3c5c430094dfb.zip FreeBSD-src-f802c9787d3218fbc623bb2a74f3c5c430094dfb.tar.gz | |
Back out recent security patch for rexecd. After more careful analysis,
it is both uneeded and breaks certain lock-step timing in the rexec
protocol.
Yes, an attacker can "relay" connections using this trick, but a properly
configured firewall that would make this sort of subterfuge necessary in the
first place (instead of direct packet spoofing) would also thwart useful
attacks based on this.
Diffstat (limited to 'libexec/rexecd')
| -rw-r--r-- | libexec/rexecd/rexecd.8 | 7 | ||||
| -rw-r--r-- | libexec/rexecd/rexecd.c | 36 |
2 files changed, 15 insertions, 28 deletions
diff --git a/libexec/rexecd/rexecd.8 b/libexec/rexecd/rexecd.8 index 5103465..babaf89 100644 --- a/libexec/rexecd/rexecd.8 +++ b/libexec/rexecd/rexecd.8 @@ -99,11 +99,8 @@ by .El .Sh CAVEATS .Nm Rexecd -will no longer allow root logins, -access for users listed in /etc/ftpusers, -access for users with no passwords, -or reverse connections to privileged ports, -which were all serious security holes. +will no longer allow root logins, access for users listed in /etc/ftpusers, +or access for users with no passwords, which were all serious security holes. The entire concept of rexec/rexecd is a major security hole and an example of how not to do things. .Nm Rexecd diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c index 2905129..23ffd0a 100644 --- a/libexec/rexecd/rexecd.c +++ b/libexec/rexecd/rexecd.c @@ -153,6 +153,18 @@ doit(f, fromp) port = port * 10 + c - '0'; } (void) alarm(0); + if (port != 0) { + s = socket(AF_INET, SOCK_STREAM, 0); + if (s < 0) + exit(1); + if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) + exit(1); + (void) alarm(60); + fromp->sin_port = htons(port); + if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) + exit(1); + (void) alarm(0); + } getstr(user, sizeof(user), "username"); getstr(pass, sizeof(pass), "password"); getstr(cmdbuf, sizeof(cmdbuf), "command"); @@ -205,30 +217,8 @@ doit(f, fromp) error("No remote directory.\n"); exit(1); } - - if (port != 0) { - if (port < IPPORT_RESERVED) { - syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d " - "client requested privileged port", - user, remote, port); - error("Privileged port requested for stderr info.\n"); - exit(1); - } - s = socket(AF_INET, SOCK_STREAM, 0); - if (s < 0) - exit(1); - if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0) - exit(1); - (void) alarm(60); - fromp->sin_port = htons(port); - if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0) - exit(1); - (void) alarm(0); - } - (void) write(2, "\0", 1); - - if (port != 0) { + if (port) { (void) pipe(pv); pid = fork(); if (pid == -1) { |
