KTH announced a weakness in their implementation of KerberosIV.

FreeBSD was not vulnerable, but their fix had some useful features. Incorporate the best of those - rcp(1) no longer needs to be SUID to root.
svn path=/head/; revision=34898
2024-11-29 21:52:45 +00:00 · 1998-03-26 18:15:00 +00:00 · 1998-03-26 18:15:00 +00:00 · 4eff93dd4e · 2020-12-20 02:59:44 +00:00
commit 4eff93dd4e
parent 42873e5755
3 changed files with 30 additions and 15 deletions
--- a/bin/rcp/Makefile
+++ b/bin/rcp/Makefile
@ -1,5 +1,5 @@
 #	@(#)Makefile	8.1 (Berkeley) 7/19/93
-#	$Id: Makefile,v 1.7 1997/02/22 14:05:18 peter Exp $
+#	$Id$

 PROG=	rcp
 SRCS=	rcp.c util.c
@ -18,8 +18,8 @@ DISTRIBUTION=	krb
 .PATH:	${.CURDIR}/../../crypto/kerberosIV/appl/bsd
 .endif

-BINOWN=	root
-BINMODE=4555
-INSTALLFLAGS=-fschg
+#BINOWN=	root
+#BINMODE=4555
+#INSTALLFLAGS=-fschg

 .include <bsd.prog.mk>
--- a/bin/rcp/pathnames.h
+++ b/bin/rcp/pathnames.h
@ -37,4 +37,6 @@
 #include <paths.h>

 #define	_PATH_CP	"/bin/cp"
+#define	_PATH_RCP	"/bin/rcp"
+#define	_PATH_RLOGIN	"/usr/bin/rlogin"
 #define	_PATH_RSH	"/usr/bin/rsh"
--- a/bin/rcp/rcp.c
+++ b/bin/rcp/rcp.c
@ -30,7 +30,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- *	$Id: rcp.c,v 1.16 1997/12/07 20:49:39 wosch Exp $
+ *	$Id$
 */

 #ifndef lint
@ -72,8 +72,6 @@ static char const sccsid[] = "@(#)rcp.c	8.2 (Berkeley) 4/2/94";
 #include <des.h>
 #include <krb.h>

-/* #include "../../usr.bin/rlogin/krb.h" */
-
 char	dst_realm_buf[REALM_SZ];
 char	*dest_realm = NULL;
 int	use_kerberos = 1;
@ -96,6 +94,9 @@ uid_t	userid;
 int errs, rem;
 int pflag, iamremote, iamrecursive, targetshouldbedirectory;

+static int argc_copy;
+static char **argv_copy;
+
 #define	CMDNEEDS	64
 char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */

@ -119,6 +120,24 @@ main(argc, argv)
 	struct servent *sp;
 	int ch, fflag, tflag;
 	char *targ, *shell;
+	int i;
+
+	/*
+	 * Prepare for execing ourselves.
+	 */
+
+	argc_copy = argc + 1;
+	argv_copy = malloc((argc_copy + 1) * sizeof(*argv_copy));
+	if (argv_copy == NULL)
+		err(1, "malloc");
+	argv_copy[0] = argv[0];
+	argv_copy[1] = "-K";
+	for(i = 1; i < argc; ++i) {
+		argv_copy[i + 1] = strdup(argv[i]);
+		if (argv_copy[i + 1] == NULL)
+			errx(1, "strdup: out of memory");
+	}
+	argv_copy[argc + 1] = NULL;

 	fflag = tflag = 0;
 	while ((ch = getopt(argc, argv, OPTIONS)) != -1)
@ -774,10 +793,8 @@ int
 kerberos(host, bp, locuser, user)
 	char **host, *bp, *locuser, *user;
 {
-	struct servent *sp;
-
-again:
 	if (use_kerberos) {
+		setuid(getuid());
 		rem = KSUCCESS;
 		errno = 0;
 		if (dest_realm == NULL)
@ -791,15 +808,11 @@ again:
 			krcmd(host, port, user, bp, 0, dest_realm);

 		if (rem < 0) {
-			use_kerberos = 0;
-			if ((sp = getservbyname("shell", "tcp")) == NULL)
-				errx(1, "unknown service shell/tcp");
 			if (errno == ECONNREFUSED)
 			    oldw("remote host doesn't support Kerberos");
 			else if (errno == ENOENT)
 			    oldw("can't provide Kerberos authentication data");
-			port = sp->s_port;
-			goto again;
+			execv(_PATH_RCP, argv_copy);
 		}
 	} else {
 #ifdef CRYPT