Bug 30590

Summary: /etc/hosts.equiv and ~/.rhosts interaction violates POLA?
Product: Base System Reporter: Gavin Atkinson <ga105>
Component: confAssignee: freebsd-bugs mailing list <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: unspecified   
Hardware: Any   
OS: Any   

Description Gavin Atkinson 2001-09-15 15:30:01 UTC
A user can override a system-wide 'disallow' entry in /etc/hosts.equiv by allowing it in his .rhosts.
Similarly, users cannot override system-wide 'allow' entries in /etc/hosts.equiv by disallowing it in his .rhosts

Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised.
Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins.

I believe a 'disallow' entry in either file should not be overridable.

This seems to have existed throughout the 4.x series

Fix: 

Seems pretty difficult to fix nicely without a major re-write of __ivaliduser_sa, iruserok_sa and related functions in /usr/src/lib/libc/net/rcmd.c.
How-To-Repeat: Add the following to hosts.equiv:
-foo.bar.com

a user can override this global diallow by adding the following to his .rhosts file:
+foo.bar.com

Similarly, the following in hosts.equiv:
+bar.foo.com

cannot be overrided by adding the following to a users .rhosts file:
-bar.foo.com

(both tested with rlogin on 4.1-R, 4.3-R and 4.4-RC5)
Comment 1 dwmalone 2001-09-15 15:33:00 UTC
On Sat, Sep 15, 2001 at 07:20:22AM -0700, Gavin Atkinson wrote:
> Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised.
> Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins.

Surely you would be much better off using hosts.allow or ipfw to
prevent such connections? That way you would stop connections
using telnet and ssh too.

	David.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:47 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped