From dillon@backplane.com  Mon Sep 23 16:08:39 1996
Received: from apollo.backplane.com (apollo.backplane.com [204.156.134.254])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24238
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 23 Sep 1996 16:08:36 -0700 (PDT)
Received: (dillon@localhost) by apollo.backplane.com (8.7.5/8.6.5) id QAA06496; Mon, 23 Sep 1996 16:08:26 -0700 (PDT)
Message-Id: <199609232308.QAA06496@apollo.backplane.com>
Date: Mon, 23 Sep 1996 16:08:26 -0700 (PDT)
From: dillon@backplane.com
Reply-To: dillon@backplane.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: rshd assumes hp->h_name from gethostbyaddr() valid after iruserok() call
X-Send-Pr-Version: 3.2

>Number:         1672
>Category:       bin
>Synopsis:       rshd makes assumptions regarding gethostbyaddr() and iruserok()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 23 16:10:03 PDT 1996
>Closed-Date:    Fri Oct 25 15:20:55 PDT 1996
>Last-Modified:  Fri Oct 25 15:23:20 PDT 1996
>Originator:     Matthew Dillon
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

    FreeBSD 2.1.5-stable

>Description:

    Sep 23 15:54:29 tick rshd[532]: lookupx flea.best.net
    Sep 23 15:54:29 tick rshd[532]: lookupy flea.best.net
    Sep 23 15:54:29 tick rshd[532]: lookupz ne.com
    Sep 23 15:54:29 tick rshd[532]: root@ne.com as root: permission denied. cmd='ls'

	(start around line 448 of /usr/src/libexec/rshd/rshd.c)

                syslog(LOG_INFO|LOG_AUTH, "lookupy %s", hostname);

                if (errorstr ||
                    (pwd->pw_expire && time(NULL) >= pwd->pw_expire) ||
                    (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
                    iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0,
                    remuser, locuser) < 0)) {
                syslog(LOG_INFO|LOG_AUTH, "lookupz %s", hostname);
                        if (__rcmd_errstr)
                                syslog(LOG_INFO|LOG_AUTH,



>How-To-Repeat:

	It would appear that iruserok blows away the 'hostname' variable.  The
	problem appears to result in incorrect log lines on rsh failures.  It
	appears to occur when the domain of the originator is the same as the
	domain of the server host.

>Fix:
	
	I suggest putting the eqivalent of a:

	hostname = strdup(hostname);

	after the hostname is resolved.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Fri Oct 25 15:20:55 PDT 1996 
State-Changed-Why:  
Duplicate of bin/1395 and bin/1273. The problem was fixed in 
rev 1.9 of src/libexec/rshd/rshd.c . 
>Unformatted:
