This is NetKit-B-0.08.

This is probably the last NetKit-B. NetKit-A has already officially
ceased to exist. That's right, THERE IS NO NETKIT-A ANY MORE.

NetKit-B-0.08 is an update of NetKit-B-0.07A. 

NOTE: There was a "NetKit-B-0.07B" uploaded to some archive sites. It
was *not* an official release and might be trojanized. Please delete
it if you see it anywhere.

In the future the components of the NetKit packages will be available
individually at ftp://ftp.uk.linux.org/pub/linux/Networking, and
probably elsewhere as well. 

Contents: 
	NetKit-B contains the following programs:
		biff  comsat  finger  fingerd  ftp  inetd  ping  
		rlogin  rlogind  rcp  rpcgen  rpc.rusersd  
		rpc.rwalld  rpcinfo  rsh  rshd  rusers  rwall  
		rwho  rwhod  bsdslattach  talk  talkd  telnet
		telnetd  timed

	This release fixes a critical security problem with telnetd.
	It also fixes problems with telnetd, tftp, and rwhod that
	could have security implications. Please don't use older
	versions of these programs. It also fixes a potentially
	significant bug in telnet; see below.

	NetKit-B also contains the following programs that you
	shouldn't even install unless you need them:
		rexecd  tftp  tftpd

	If you're reading this off a CD, go right away and check the
	net archives for later versions and security fixes.
	
	If you are updating from NetKit-B-0.06, you may also want to
	get the current versions of portmap, rdist, sliplogin, 
	and/or bsd-ftpd, as those are no longer included here. You 
	will also want to get LPRng or PLP to replace lpr, as that is
	no longer included either. All of these can be gotten from
	ftp.uk.linux.org://pub/linux/Networking.


Requirements: (I know these work; you can probably use much earlier 
versions of libc, gcc, or the kernel.)

	libc 5.2 or higher (though 4.x should work)
	linux 2.0 or higher (as early as 0.99pl15 might work...)
	gcc 2.7.2 (please get the strength-reduce fix if you don't have it) 
	libncurses (any recent version)
	libreadline (GNU readline library) is optional but recommended.

Please make sure your /usr/include matches your libc version. If you have 
weird problems this is the most likely culprit.


Installation:
	Edit MCONFIG to set the configuration options. 
	You will want to edit the top-level Makefile to select which
	  programs to build and install.
	Apply the rusersd.x patch to your /usr/include if you feel so 
	  inclined and you have a libc without the patch already applied.
	  This is not necessary; the patch fixes some noncritical compiler
	  warnings.
	Do "make".
	Do "make install" as root to install everything. Save backup copies 
	  of important tools, or confirm the new ones work first. Etc. We 
	  warned you.

Security:
	NetKit-B-0.08 fixes a buffer overrun in rwhod that could 
	potentially have been used to gain root access.
	
	NetKit-B-0.08 fixes some possible buffer overruns in the tftp
	client that might have been vulnerable to DNS spoofing attacks.

	NetKit-B-0.08 fixes a problem in telnetd that could permit 
	anyone anywhere to get a root shell, and also a possible
	buffer overrun vulnerable to DNS spoofing.

	NetKit-B-0.08 fixes a bug in telnet that caused the -E
	(disable escape character) flag to not be honored correctly.
	This could have security implications if telnet is run as 
	part of a restricted shell system. Such use of telnet is not
	recommended; telnet was not written to be secure. Use rlogin
	(or slogin) for such purposes.

	NetKit-B-0.07 fixed a number of now well-known security
	problems. Please read README.v07, and don't use older versions
	of the affected programs.

Other notes:
	To compile ftp with readline support you'll need a copy of the
	readline library installed. If you don't have it, get
	readline-2.0 from prep.ai.mit.edu (or any GNU mirror). You'll
	need to apply the enclosed patch, or ftp will have problems with 
	^C handling.

	Use of the the "talk.FvK.patch" patch is neither recommended
	nor discouraged. Apply it at your discretion.

	Telnetd is now set up to leave unused pseudo-tty devices owned
	by root and not readable or writeable. This is a security 
	improvement. If this causes problems (which it may), take out 
	-DPARANOID_TTYS from the telnetd makefile.

	Telnetd is also now set up to permit passing only a few
	predefined environment variables, namely, USER, LOGNAME,
	DISPLAY, TERM, and POSIXLY_CORRECT. If you need to put in
	more, the function that checks is at the end of state.c.
	Please also let me know if I've forgotten anything of general
	interest. (Things like PATH that are meant to be set locally
	do not count.)

	Fingerd now will optionally block requests of the form "finger
	@host" if so desired.

Bugs:
	There was a great deal of hacking on the sources for this version,
	especially telnet. Everything that's supposed to be able to
	compile (see the Makefile) compiles for me. If it doesn't
	compile for you, send diffs. If you can't send diffs, send the
	compiler's error output.

	If it compiles but doesn't work, send as complete a bug report as 
	you can. Patches and fixes are welcome, as long as you describe 
	adequately what they're supposed to fix. Please, one patch per
	distinct fix.

	Be sure to send all correspondence in e-mail. Postings to netnews 
	will almost certainly not be seen due to the enormous volume.

	Please don't report known bugs (see the BUGS file) unless you
	are including fixes. :-)


David A. Holland	dholland@hcs.harvard.edu
								14-Aug-1996
