jimzah/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src.git synced 2024-11-28 04:43:32 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Back out recent security patch for rexecd. After more careful analysis,

Browse Source 
it is both uneeded and breaks certain lock-step timing in the rexec
protocol.

Yes, an attacker can "relay" connections using this trick,  but a properly
configured firewall that would make this sort of subterfuge necessary in the
first place (instead of direct packet spoofing) would also thwart useful
attacks based on this.
This commit is contained in:
Paul Traina 1996-11-22 08:59:07 +00:00
parent ccddabb0c7
commit a13e275f66
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=19924
2 changed files with 15 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libexec/rexecd/rexecd.8
View File

@ -99,11 +99,8 @@ by
.El
.Sh CAVEATS
.Nm Rexecd
will no longer allow root logins,
access for users listed in /etc/ftpusers,
access for users with no passwords,
or reverse connections to privileged ports,
which were all serious security holes.
will no longer allow root logins, access for users listed in /etc/ftpusers,
or access for users with no passwords, which were all serious security holes.
The entire concept of rexec/rexecd is a major security hole and an example
of how not to do things.
.Nm Rexecd

36
libexec/rexecd/rexecd.c
View File

@ -153,6 +153,18 @@ doit(f, fromp)
port = port * 10 + c - '0';
}
(void) alarm(0);
if (port != 0) {
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
exit(1);
if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
exit(1);
(void) alarm(60);
fromp->sin_port = htons(port);
if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
exit(1);
(void) alarm(0);
}
getstr(user, sizeof(user), "username");
getstr(pass, sizeof(pass), "password");
getstr(cmdbuf, sizeof(cmdbuf), "command");
@ -205,30 +217,8 @@ doit(f, fromp)
error("No remote directory.\n");
exit(1);
}
if (port != 0) {
if (port < IPPORT_RESERVED) {
syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d "
"client requested privileged port",
user, remote, port);
error("Privileged port requested for stderr info.\n");
exit(1);
}
s = socket(AF_INET, SOCK_STREAM, 0);
if (s < 0)
exit(1);
if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
exit(1);
(void) alarm(60);
fromp->sin_port = htons(port);
if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
exit(1);
(void) alarm(0);
}
(void) write(2, "\0", 1);
if (port != 0) {
if (port) {
(void) pipe(pv);
pid = fork();
if (pid == -1) {