A user can override a system-wide 'disallow' entry in /etc/hosts.equiv by allowing it in his .rhosts. Similarly, users cannot override system-wide 'allow' entries in /etc/hosts.equiv by disallowing it in his .rhosts Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised. Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins. I believe a 'disallow' entry in either file should not be overridable. This seems to have existed throughout the 4.x series Fix: Seems pretty difficult to fix nicely without a major re-write of __ivaliduser_sa, iruserok_sa and related functions in /usr/src/lib/libc/net/rcmd.c. How-To-Repeat: Add the following to hosts.equiv: -foo.bar.com a user can override this global diallow by adding the following to his .rhosts file: +foo.bar.com Similarly, the following in hosts.equiv: +bar.foo.com cannot be overrided by adding the following to a users .rhosts file: -bar.foo.com (both tested with rlogin on 4.1-R, 4.3-R and 4.4-RC5)
On Sat, Sep 15, 2001 at 07:20:22AM -0700, Gavin Atkinson wrote: > Therefore the sysadmin of a system cannot easily prevent rlogins from another system. This would seem to be a useful thing, for example if the remote system has been compromised. > Also, if a user cares more for his account's security than the sysadmin, he can't disable rlogins. Surely you would be much better off using hosts.allow or ipfw to prevent such connections? That way you would stop connections using telnet and ssh too. David.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped