>> >>>>> On Thu, 29 Sep 1994 07:04:44 -0600 (CDT), Pug <pug@arlut.utexas.edu> said: >As I remember the race condition, you don't have a problem if you don't >allow the 'r' commands into your system. The race condition created a >.rhosts file for accounts that had UID 0, but no existing .rhosts file. >I can't find my copy of the exploit anymore to be certain. As well, you >had to start on the system, so it wasn't that much of an external job >anyway. This is one of the problems with exploit scripts: the scripts uses .rhosts as one file to create for a user. Now this particular file has a certain interpretation that makes it dangerous. However, there are many more files that when created will cause problems. Besides, I believe that this is not the bug at issue. A newer bug was found by and alluded to on Usenet by Joerg Czeranski. No patch has been made yet by Sun, even though it has been more than two months. >I see allowing 'r' commands into your installation as a Bad Thing anyway. If you allow it locally (in a non-secure NFS environment) it is a *good* thing, aslong as you resrict it. It gives snoopers much less chance of getting lots of local passwords Casper