Re: Is starting a user program on priv port via inetd dangerous ?
Jukka Ukkonen (Jukka.Ukkonen@csc.fi)
Sat, 23 Jul 1994 10:08:37 +0300 (EET DST)
Quoting Lord of flying horned octopi:
>
> If rlogind was so easily spoofed, why not just use your own machine, i.e.
> one you have root access on, to spoof someone elses rlogind?
For the root user rlogind does not scan /etc/hosts.equiv. It only
looks into /.rhosts when you try to access the root account. You
would have to spoof DNS!
Only a brain-dead sys-admin would ever put any other machines but
those in his own domain to any /etc/hosts.equiv. Those are the only
machines over which (s)he has unlimited control and can make any
assumptions about their reliability. (Neither would I ever rely
any other DNS server but the ones I am administering myself to give
me correct information about my domain.)
To the users' personal ~/.rhosts then... Because many normal
users tend to keep a lot of unreliable machines in their own
~/.rhosts some admins turn off the checking of the personal
.rhosts files. Even though such an entry does not compromise
directly more than the single user's account it could be used
as the first access point to a machine to allow further cracking.
On the whole rlogind is not more easily fooled than is the person
administering the machine on which rlogind runs. For more security
one could always compile one's own rlogind (and rshd) and make sure
the ip-source-route option is not set when a connection is opened.
One could use tcpd to force the same effect.
As a general reply to the discussion about the inetd ...
Because inetd really can start non-root programs with sockets
bound to ports below 512 you should remember these ports are
reserved for IANA to assign. Ports from 512 to 1023 were originally
reserved for UNIX services like rlogind (login), rshd (shell),
rexecd (exec) and are in fact also IANA's domain but these can be
temporarily assigned by local sys-admins too on as needed basis.
On the whole there is no other real advantage making a server to
run on a controlled (1023 or below) port but to know a normal
user usually cannot steal a well known port for some other purpose
thus making a well known service unavailable on the particular
machine. (This only goes as far as your machine is a multiuser
host that makes a difference between normal and controlled ports.)
Relying on a attempted connection coming from a port with number
1023 or below makes sense only as far as you can rely on the remote
peer to enforce the policy that only root can allocate a controlled
port, and know the root on that particular machine has no malicious
interest towards our machine. (Generally this means that the peer
machines have the same admins.)
If the irc community wants to gain a "well known service" status
for irc/ircd, please, do so by negotiating with IANA.
Cheers,
// jau
------
/ Jukka A. Ukkonen, M.Sc. (tech.) Centre for Scientific Computing
/__ Internet: ukkonen@csc.fi Tel: (Home) +358-0-578628
/ Internet: jau@cs.tut.fi (Work) +358-0-4573208
v X.400: c=fi, admd=fumail, no prmd, org=csc, pn=jukka.ukkonen