From nobody@FreeBSD.org  Sat Sep 15 07:20:23 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BF5D137B414
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 15 Sep 2001 07:20:22 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f8FEKMc89083;
	Sat, 15 Sep 2001 07:20:22 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200109151420.f8FEKMc89083@freefall.freebsd.org>
Date: Sat, 15 Sep 2001 07:20:22 -0700 (PDT)
From: Gavin Atkinson <ga105@york.ac.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
X-Send-Pr-Version: www-1.0

>Number:         30590
>Category:       conf
>Synopsis:       /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 15 07:30:01 PDT 2001
>Closed-Date:    
>Last-Modified:  Sun Aug 29 04:53:45 GMT 2004
>Originator:     Gavin Atkinson
>Release:        4.4-RC5
>Organization:
URY
>Environment:
FreeBSD ury3.york.ac.uk 4.4-RC FreeBSD 4.4-RC #3: Fri Sep 14 22:17:55 BST 2001     root@ury3.york.ac.uk:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
A user can override a system-wide 'disallow' entry in /etc/hosts.equiv by allowing it in his .rhosts.
Similarly, users cannot override system-wide 'allow' entries in /etc/hosts.equiv by disallowing it in his .rhosts

Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised.
Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins.

I believe a 'disallow' entry in either file should not be overridable.

This seems to have existed throughout the 4.x series

>How-To-Repeat:
Add the following to hosts.equiv:
-foo.bar.com

a user can override this global diallow by adding the following to his .rhosts file:
+foo.bar.com

Similarly, the following in hosts.equiv:
+bar.foo.com

cannot be overrided by adding the following to a users .rhosts file:
-bar.foo.com

(both tested with rlogin on 4.1-R, 4.3-R and 4.4-RC5)
>Fix:
Seems pretty difficult to fix nicely without a major re-write of __ivaliduser_sa, iruserok_sa and related functions in /usr/src/lib/libc/net/rcmd.c.
>Release-Note:
>Audit-Trail:

From: David Malone <dwmalone@maths.tcd.ie>
To: Gavin Atkinson <ga105@york.ac.uk>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/30590: /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
Date: Sat, 15 Sep 2001 15:33:00 +0100

 On Sat, Sep 15, 2001 at 07:20:22AM -0700, Gavin Atkinson wrote:
 > Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised.
 > Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins.
 
 Surely you would be much better off using hosts.allow or ipfw to
 prevent such connections? That way you would stop connections
 using telnet and ssh too.
 
 	David.
>Unformatted:
