The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #33 1989-09-15 (1 file, 10314 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/133.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Security Digest Volume 1 Issue 33

subject(s):

            Please post to "security", not "sec-rqst"
            vacation
   e authority (or passwords, neil=root 8-)
to administer the security list.  If you absolutely have to have
something changed this month, better telephone me tomorrow at
(714) 546-1100 US.  If you send email, it will be stuck at the end of
the 507 other letters currently waiting to be processed in my security
mailbox 8-).  There's no sense in discussing using an alternate
moderator, since I only take one vacation a year which is always cut
short anyway (I was supposed to leave a week ago 8-( ).

------------------------------------------------------------------------

Date: Fri, 15 Sep 89 12:06:18 EDT
From: John Limpert <uunet!gronk!johnl>
Subject: Re: Workstation security

> On other workstations you will have to ask your manufacturer if there
> is a way of preventing all operations from the console apart from the
> standard power-up bootstrap.

Maybe I'm being dense, but why are people looking for software fixes
to a physical security problem?  The software defenses may keep out
the casual user but a determined attacker _will_ succeed.  I think one
has to assume that any workstation or LAN can be compromised by
someone who has physical access, security measures should be designed
to cope with non-trusted systems.

------------------------------------------------------------------------

Date: Sat, 16 Sep 89 3:50:25 CST
From: uunet!munnari!PISA.sait.oz.au!ccdn
Subject: Re: Workstation Security

[ This was sent to sec-rqst rather than security, I forwarded it - neil ]

uunet!iis!prl writes:
>       The hack involves copying /vmunix to /tmp/vmunix,
>       [ etc. ]

This problem can be solved by ensuring that there are no world writable
directories in the root file system.  (This implies that /tmp is a
mounted file system.)  You would still be at risk if the hacker were
able to unmount /tmp; but then again, if the hacker could do this, then
you'd be stuffed anyway! :-)

------------------------------------------------------------------------

Date: Sun, 17 Sep 89 02:05:09 +0300
From: Jyrki Kuoppala <uunet!cs.hut.fi!jkp>
Subject: Workstation security when you have access to the console

> I have sent in bug reports about this problem to Sun (who have a fix)
> and DEC (who said that it will be fixed in new models only, no ECO).
>
> On Sun workstations, you can prevent this (and some other potential breakins)
> by:
>       1) Installing boot prom version >= 2.7.1; on 3/80's you
>               will need prom version >= 3.0
>       2) Putting a password in the boot prom as described in
>               the SunOS 4.0.3 documentation
>       3) Making /dev/eeprom non-readable, and making sure
>               there aren't sneak paths to read it (eg. fingerd running
>               as root :-)

It is irresponsible from the vendors to say that the problem is fixed
just because they have made boot proms which don't let you do
something like `b -s' or `bo/2' for single user boot.  What prevents
me from opening the workstation and changing the boot prom ?  What
prevents me from bringing my own file server to the room and hooking
the ethernet cable to my workstation, then booting via the network ?
What prevents me from brining my own SCSI disk (or a floppy if the
workstation has floppy) and booting from it ?  What prevents me from
opening the workstation, taking the disk out, connecting it to my own
machine, changing the kernel to my heart's contents and putting the disk
back to the workstation ?

Sorry, you won't win by just making the console do nothing but boots.
A system like Kerberos is quite a good partial solutions; it doesn't
solve all the problems, but it helps.

------------------------------------------------------------------------

Date: Fri, 15 Sep 89 09:57:26 PDT
From: Brent Chapman <uunet!capmkt!brent>
Subject: Re: rlogind/rshd broken by nameserver spoofing in in-addr.arpa domains &fix

# This brings up a very important point.  DNS names and IP addresses
# should *never* be used for authentication.  They are easily forged or
# faked in a variety of circumstances.  The only real solution is to
# never trust DNS names/addresses and use something like Kerberos.

I don't buy this at all.  Kerberos is very good at what it does, but
it is simply not a viable alternative in a wide range of situations.
For instance, unless it's been changed since I took the Kerberos class
offerred at USENIX a few months ago, Kerberos relies on a single
centralized authentication server, and your whole Kerberos setup is
only as secure (or insecure) as that server.  At MIT, their server is
a small workstation (MicroVAX II, I think they said) running _nothing_
but Kerberos locked away in a closet somewhere where presumably nobody
unauthorized can get physical access to it.  This is fine for large
sites like MIT, who have several hundred or several thousand
workstations using Kerberos, and can easily dedicate one to be the
Kerberos authentication server (not because Kerberos is a resource
hog, mind you; just so that the authentication server can be made as
secure as possible by locking it up and running _nothing_ but Kerberos
on it); on the other hand, my site only has a dozen or so
workstations, so running Kerberos in this mode is clearly _not_ an
option for me.

DNS names and IP addresses can certainly be faked if somebody knows
what they're doing, but they're better than nothing.  Just because a
technique isn't perfect doesn't mean that it shouldn't be used, as
long as the folks using it understand what they're really getting and
what they aren't.

------------------------------------------------------------------------

Date: Sun, 17 Sep 89 01:48:10 +0300
From: Jyrki Kuoppala <uunet!cs.hut.fi!jkp>
Subject: Using yellow pages on a Sony NEWS 3.2 system

On Sony NEWS-OS 3.2 (Sony's version of 4.3 BSD which is otherwise
quite well done), there's one more reason for not using yellow pages.

Of course it's not that revelant, since I don't suppose their version
of yellow pages is that new and I suppose all the other holes are
still lurking there somewhere.  Anyway, I'm posting the announcement
since it might be in other yellow pages implementations, too.

On NEWS-OS 3.2, if you have the password entry:

+::0:0:::

present in /etc/passwd and ypbind is not running, it's possible for
anyone to `su +' and `rsh localhost -l + sh -i'.

Sorry, no bug fix as we don't have source yet and haven't bothered to
fix the binary because we don't use Yellow Pages.  If you're into
security, you probably should't use YP anyhow.

Also, on NEWS-OS 3.2, rpc.rexd is enabled by default.  Here's the
original report on this (sony-news@cs.hut.fi is a mailing list
concerning Sony workstations, you are welcome to join it by sending
mail to sony-news-request@cs.hut.fi if you're interested):

-From: Jyrki Kuoppala <jkp@cs.hut.fi>
-To: sony-news@cs.hut.fi
-Subject: rpc.rexd
-Organization: Helsinki University of Technology, Finland.

I noticed today that Sony NEWS-OS 3.2 has rpc.rexd enabled by default.
This might be a problem if you don't want to keep your machine wide
open to anyone on the net.

Rpc.rexd is a rsh-style remote execution service which tries to make
the environment in the remote machine as much like the local as
possible.  Using rpc.rexd and the client program `on' is asking for
trouble.  Rpc.rexd automatically mounts thing in /tmp; if you have a
cron job to clean /tmp periodically from old stuff, you're in deep
trouble.

Also, the BUGS section in the manual page says:

BUGS
     Should be better access control.

Talk about an understatement.  If rpc.rexd is enabled, anyone on the
same TCP/IP network (that's everybody on the internet / nordunet /
some places in elsewhere Europe / Australia / whatever for us) can
access the machine with any user id she wants, except root.  Of course
it's trivial to get root access after you get ie. daemon privileges.
Rpc.rexd originally comes from Sun with the remote procedure call
packge; I haven't seen it enabled by default on any SunOS machine,
however.

Rpc.rexd can be disabled by editing /etc/inetd.conf and adding # to
the beginning of the line rpc.rexd is mentioned.

I think open networking is a good idea, too, but sometimes the Sun
people tend to go a bit farther than I would ;-).

[ Every network service that is not ABSOLUTELY required should be
  disabled if you are really concerned about security - neil ]

------------------------------------------------------------------------

Date: Sun, 17 Sep 89 08:48:42 +0300
From: Jyrki Kuoppala <uunet!cs.hut.fi!jkp>
Subject: Something you didn't want to know about Sun's Yellow Pages

It appears that you can't win at all with SunOS 4.0.3c (and probably
all earlier versions, too) even if you're not running yellow pages.
Or for that matter with most Unixes using Sun's Yellow Pages.

Let's assume three machines; securemachine, evilmachine and
friendlymachine.  Also, let's assume tha you have a normal account on
securemachine and root access to evilmachine.  You wan't to get root
access on securemachine.  You also know that there's the line
`friendlymachine root' on securemachine's /.rhosts.  Securemachine is
SunOS 4.0.3c which is not running YP.  I'll explain how you can get
the root access on securemachine if the domainname on securemachine is
set.

The relation of securemachine, evilmachine and frienlymachine is
irrelevant as long as they're on the same TCP/IP network; they don't
even need to be on the same continent.

Get SunOS 4.0.1 binaries for ypbind, ypset and ypserv or write your
own.  Modify ypserv to use /tmp everywhere that it uses /var.  Set up
your own yp database in /tmp/yp.  Make the database contain
evilmachine's IP address with the name entry as friendlymachine.

Start the modified ypserv on securemachine.  Start your own ypbind on
securemachine.  Print the domainname of securemachine - let's assume
it's `noname' as it often is when yp is not running.  Give the command
`ypset -h securemachine -d noname securemachine' on evilmachine as
root (ypset should be the 4.0.1 version or the one you wrote).

Give the command `rsh securemachine -l root sh -i' from evilmachine
and do your merry way.

This probably works also on other YP implementations and you don't
even need to give the ypset command from another machine.

FIX: I don't see a clean fix applicable to all cases.  Setting the
domainname to the null string seems to help, but I haven't checked it
deep enough.  I don't know if running YP helps; probably not, as the
portmapper didn't practice any access control last I looked (older
versions even allow you to remap things from a remote host !) so
anyone can just remap the ypserv to their own version.  Anyway, if you
choose to run YP, you're in another kind of mess altogether if you
don't have the latest versions (I don't know if 4.0.3c is good enough,
but I don't think it is).  Running the domain name server and using
the resolver libraries for host name lookup helps, but depending on
your flavor of unix the group, sendmail alias, services etc. files
might also be under YP.  They sure are on a Sun.

REAL FIX: Just fix the YP libraries to check that the ypbind process
is running on a privileged IP port (that is, between 513 and 1023) and
recompile all binaries.  While youre at it, fix the ypbind process to
bind only to ypserv processes which are on a privileged port on an IP
address which corresponds to a list stored in a local file.  What's
that, you don't have source ?  AARRGGGHH, time to reach for that PANIC
switch disconnecting you from the power network and CTFV (Call The
Friendly Vendor) !!!

------------------------------------------------------------------------

Date: Sun, 17 Sep 89 06:07:22 +0300
From: Jyrki Kuoppala <uunet!cs.hut.fi!jkp>
Subject: (non)security of SunOS 4.0.3c on a Sparcstation

Ah well, time for some Sun-bashing again.  Nothing much new here, but
seems that the old bugs haven't been fixed and more ways to use them
have surfaced because of this.  Also, if you thought that sendmail was
fixed in 4.0.3, you were wrong.  I reported the sendmail thing
earlier, but as I was (mis)informed that it's fixed in 4.0.3, I didn't
take a closer look at it (we didn't have 4.0.3 at the time).

I was promised to be sent an address for the person in charge of
security bugs inside Sun when I reported the rwalld / wall security
problem to the Sun-Spots mailing list (which is gatewayed to
comp.sys.sun), but I never got it.  So I'm CC'ing this to some people
on the Sun which may not be the right people but perhaps can forward
the mail to the right address.

Here's some sad facts about the default configuration of a
Sparcstation running SunOS 4.0.3c, in some kind of order of seriousness:

1. The sendmail in 4.0.3c is still buggy.  Anyone who can access the
sendmail daemon (connect to the smtp port) can write to any existing
file writable by any user other than root.  It's easy to get access to any
user's account by writing into her .rhosts file.  Here's an example:

jkp@sauna.hut.fi '~' 1: tn your.friendly.sun smtp
Trying 1.2.3.4 ...
Connected to your.friendly.sun.
Escape character is '^]'.
220 your.friendly.sun Sendmail 4.0/SMI-4.0 ready at Sun, 17 Sep 89 03:18:08 +0300
mail from: <jkp@sauna.hut.fi>
250 <jkp@sauna.hut.fi>... Sender ok
rcpt to: /etc/passwd
554 /etc/passwd... Cannot mail directly to files
rcpt to: /etc/passwd
550 /etc/passwd... Addressee unknown
data
354 Enter mail, end with "." on a line by itself
ignore

[ Did your posting get chopped off here?  This is all I received - neil ]

------------------------------------------------------------------------

Date: Sun, 17 Sep 89 18:11:45 +0300
From: uunet!cs.hut.fi!jkp
Subject: the rcmd hole

> }  ... (like the one when ftpd accepts port numbers smaller than 1024).
> Please publish that one, I don't remember seeing it.

Actually this is old potatoes; it was published as number 36 of the
ucb-fixes list (two years ago).  I just happened to hear a way to
exploit it with ftp a few months ago and as I saw that it was STILL
not fixed on our SunOS, I thought that it would be time for some
publicity again.  I was surprised to find it fixed in SunOS 4.0.3c.

Here's the original fix from ucb:

> Subject: refuse to accept connections from ports below 512
> Index: etc/{rshd.c,rlogind.c} 4.3BSD
>
> Description:
>       It is strongly suggested that the following fixes be applied
>       to etc/rshd.c and etc/rlogind.c.  They take care of a security
>       problem in 4.3BSD.
> Repeat-By:
>       Use your imagination.
> Fix:
>       Apply the following patches.
>
> [ ]
>
> *** rlogind.c.old     Thu Sep 17 19:19:26 1987
> --- rlogind.c.new     Thu Sep 17 19:21:15 1987

There might be other ways to exploit it than ftp, so the right place
to make the fix is probably as UCB says into the rshd and rlogind, not
to ftpd.  There was the recent post of checking .rhosts hostnames
which contained fixed versions of rshd and rlogind, so it's probably
not needed to publish the below 512 port number problem again.

Anyway, if you can write to a file on the ftp
server on machine A (you have an account on it or it has a
ftp-writable anon. ftp dir) and machine B which trusts machine A with
rhsd authentication has the unfixed rhsd / rlogin daemon, you can
impersonate as a trusted user on machine B by giving 513 as the
destination port number.

------------------------------------------------------------------------

Date: Fri, 15 Sep 89 16:35:03 MST
From: Jeff Forys <uunet!snake.utah.edu!forys>
Subject: Re: Ultrix, r-commands, and the DNS

        From:    uunet!umiacs.UMD.EDU!steve
        Subject:  Ultrix, r-commands, and the DNS

           In my modified scheme, we'd have:

                I rlogin later.dude.org -l bogon.
                rlogind on later.dude.org gets my IP address (128.8.120.3) in
                        accept(), and uses gethostbyaddr to turn that back into
                        a host name (in this case, decwrl.dec.com).
                rlogind does a gethostbyname on decwrl.dec.com, and gets back
                        16.1.0.1 as the one and only IP address for decwrl.
                rlogind compares 128.8.120.3 to each element in the list of
                        decwrl's IP addresses, and fails to find a match.
                rlogind replies, ``intruder alert'', closes the connection, and
                        syslogs the details at high priority.

I fixed this a while ago, so I can save you the trouble of recoding
it.  Your solution sounds *almost* reasonable.  :-)  Back in February,
I checked what Berkeley had done about this problem, and it was similar
to what you just suggested; originally, they only verified addresses in
the local domain, but later added a settable flag to check all
addresses... certainly a good idea.

However, I had another problem with both their, and your fix; namely,
the possibility of denial of service.  Consider, if an administrator
screws up the name server, or if gethostbyname() fails, the user will
be unable to log in, even if they know their password.  I added a new
flag to login (-R) which basically says "this is an rlogin, but the
user has not been authenticated (i.e. ask for a password)".  Rlogind
then, uses `-R' in place of `-r' when it exec's "/bin/login".

In case of name server failure, I allow ruserok() to be performed on
the getpeername()'d internet address (i.e. if a ".rhosts" contains a
dotted quad).  I realize that internet addresses are not completely
secure, but we dont have time to do Kerberos yet!

Finally, I toned down the error message to LOG_NOTICE since it's not
*that* serious... when it happens, it's usually due to a honest
mistake; for proof, I offer our (edited) log file from "cs.utah.edu":

        Mar 14 15:01:27 cs rsh[15384]:
                Host/Address mismatch (ike.med.utah.edu != 128.110.68.77)
        Mar 14 15:01:40 cs rsh[15395]:
                Host/Address mismatch (ike.med.utah.edu != 128.110.68.77)
        Mar 26 19:39:38 cs rlogind[26278]:
                Host/Address mismatch (Smogland.ICSL.UCLA.EDU != 128.97.90.17)
        Jun 21 04:10:38 cs rlogind[14019]:
                Host/Address mismatch (sol.engin.umich.edu != 35.2.128.64)
        Jun 21 04:15:27 cs rlogind[14109]:
                Host/Address mismatch (sol.engin.umich.edu != 35.2.128.64)
        Aug  3 15:09:02 cs rlogind[6001]:
                Host/Address mismatch (ucbarpa.Berkeley.EDU != 128.32.137.8)
        Aug  3 15:13:02 cs rlogind[6090]:
                Host/Address mismatch (ucbarpa.Berkeley.EDU != 128.32.137.8)

Context diffs inside a shar file follow; let me know if there's a bug
anywhere (i.e. by sending mail... like, dont log in here as me! :-)).

: ------ CUT HERE ------
export PATH || exec /bin/sh $0 $*
: This is a shell archive, so you should:
:  1. remove everything above the "CUT HERE" line
:  2. run the remaining file through /bin/sh
: This will get you the files:
: DNSauth/rshd.c_diffs
: DNSauth/login.c_diffs
: DNSauth/rlogind.c_diffs
: as they were when this archive was created on Fri Sep 15 15:19:58 1989
: ----------------------------------------- :
PATH="/bin:/usr/bin:/usr/ucb:$PATH"
export PATH
if test -f 'DNSauth'
then
        echo directory 'DNSauth' is a file
        exit 1
elif test '!' -d 'DNSauth'
then
        echo 'mkdir DNSauth'
        mkdir 'DNSauth'
fi
if test -f 'DNSauth/rshd.c_diffs' -o -d 'DNSauth/rshd.c_diffs'
then
        echo "arch: file 'DNSauth/rshd.c_diffs' exists. Not overwritten"
else
echo 'x DNSauth/rshd.c_diffs 1675 bytes'
sed -e 's/^X//' > DNSauth/rshd.c_diffs << EOF\ DNSauth/rshd.c_diffs
X*** /tmp/,RCSt1015284  Fri Sep 15 15:12:26 1989
X--- /tmp/,RCSt2015284  Fri Sep 15 15:12:26 1989
X***************
X*** 158,166 ****
X       dup2(f, 2);
X       hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr),
X               fromp->sin_family);
X!      if (hp)
X!              hostname = hp->h_name;
X!      else
X               hostname = inet_ntoa(fromp->sin_addr);
X       getstr(remuser, sizeof(remuser), "remuser");
X       getstr(locuser, sizeof(locuser), "locuser");
X--- 158,193 ----
X       dup2(f, 2);
X       hp = gethostbyaddr((char *)&fromp->sin_addr, sizeof (struct in_addr),
X               fromp->sin_family);
X!      if (hp) {
X!              /*
X!               * Verify that we haven't been fooled by someone; look up the
X!               * name and check that this address corresponds to the name.
X!               */
X!              char remotehost[2 * MAXHOSTNAMELEN + 1];
X!
X!              strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
X!              remotehost[sizeof(remotehost) - 1] = 0;
X!              if ((hp = gethostbyname(remotehost)) == NULL) {
X!                      syslog(LOG_INFO, "Address lookup failed for %s",
X!                             remotehost);
X!                      error("Couldn't find address for your host\n");
X!                      hostname = inet_ntoa(fromp->sin_addr);
X!              } else for (; ; hp->h_addr_list++) {
X!                      if (hp->h_addr_list[0] == NULL) {
X!                              syslog(LOG_NOTICE,
X!                                     "Host/Address mismatch (%s != %s)",
X!                                     remotehost, inet_ntoa(fromp->sin_addr));
X!                              error("Host/Address mismatch\n");
X!                              exit(1);
X!                      }
X!                      if (!bcmp(hp->h_addr_list[0],
X!                          (caddr_t)&fromp->sin_addr,
X!                          sizeof(fromp->sin_addr))) {
X!                              hostname = hp->h_name;
X!                              break;
X!                      }
X!              }
X!      } else
X               hostname = inet_ntoa(fromp->sin_addr);
X       getstr(remuser, sizeof(remuser), "remuser");
X       getstr(locuser, sizeof(locuser), "locuser");
EOF DNSauth/rshd.c_diffs
if test 1675 -ne "`wc -c < 'DNSauth/rshd.c_diffs'`"
then
        echo '"DNSauth/rshd.c_diffs" CORRUPTED. Should be 1675 bytes'
fi
fi ; : End of overwrite check -- DNSauth/rshd.c_diffs
if test -f 'DNSauth/login.c_diffs' -o -d 'DNSauth/login.c_diffs'
then
        echo "arch: file 'DNSauth/login.c_diffs' exists. Not overwritten"
else
echo 'x DNSauth/login.c_diffs 2480 bytes'
sed -e 's/^X//' > DNSauth/login.c_diffs << EOF\ DNSauth/login.c_diffs
X*** /tmp/,RCSt1015302  Fri Sep 15 15:13:14 1989
X--- /tmp/,RCSt2015302  Fri Sep 15 15:13:15 1989
X***************
X*** 17,22 ****
X--- 17,23 ----
X  /*
X   * login [ name ]
X   * login -r hostname (for rlogind)
X+  * login -R hostname (for rlogind, when gethostbyname() fails)
X   * login -h hostname (for telnetd, etc.)
X   */
X
X***************
X*** 94,100 ****
X
X  struct winsize win = { 0, 0, 0, 0 };
X
X! int  rflag;
X
X  int  usererr = -1;
X  char rusername[NMAX+1], lusername[NMAX+1];
X--- 95,101 ----
X
X  struct winsize win = { 0, 0, 0, 0 };
X
X! int  rflag, Rflag;
X
X  int  usererr = -1;
X  char rusername[NMAX+1], lusername[NMAX+1];
X***************
X*** 124,130 ****
X  #endif !VFS
X       /*
X        * -p is used by getty to tell login not to destroy the environment
X!       * -r is used by rlogind to cause the autologin protocol;
X        * -h is used by other servers to pass the name of the
X        * remote host to login so that it may be placed in utmp and wtmp
X        */
X--- 125,131 ----
X  #endif !VFS
X       /*
X        * -p is used by getty to tell login not to destroy the environment
X!       * -r/-R are used by rlogind to cause the autologin protocol;
X        * -h is used by other servers to pass the name of the
X        * remote host to login so that it may be placed in utmp and wtmp
X        */
X***************
X*** 131,143 ****
X       (void) gethostname(me, sizeof(me));
X       domain = index(me, '.');
X       while (argc > 1) {
X!              if (strcmp(argv[1], "-r") == 0) {
X!                      if (rflag || hflag) {
X!                              printf("Only one of -r and -h allowed\n");
X                               exit(1);
X                       }
X                       if (argv[2] == 0)
X                               exit(1);
X                       rflag = 1;
X                       usererr = doremotelogin(argv[2]);
X                       if ((p = index(argv[2], '.')) && domain &&
X--- 132,146 ----
X       (void) gethostname(me, sizeof(me));
X       domain = index(me, '.');
X       while (argc > 1) {
X!              if (strcmp(argv[1], "-r") == 0 || strcmp(argv[1], "-R") == 0) {
X!                      if (Rflag || rflag || hflag) {
X!                              printf("Only one of -r, -R and -h allowed\n");
X                               exit(1);
X                       }
X                       if (argv[2] == 0)
X                               exit(1);
X+                      if (strcmp(argv[1], "-R") == 0)
X+                              Rflag = 1;
X                       rflag = 1;
X                       usererr = doremotelogin(argv[2]);
X                       if ((p = index(argv[2], '.')) && domain &&
X***************
X*** 526,532 ****
X               pwd = &nouser;
X               return(-1);
X       }
X!      return(ruserok(host, (pwd->pw_uid == 0), rusername, lusername));
X  }
X
X  getstr(buf, cnt, err)
X--- 529,536 ----
X               pwd = &nouser;
X               return(-1);
X       }
X!      return(Rflag? -1:
X!             ruserok(host, (pwd->pw_uid == 0), rusername, lusername));
X  }
X
X  getstr(buf, cnt, err)
EOF DNSauth/login.c_diffs
if test 2480 -ne "`wc -c < 'DNSauth/login.c_diffs'`"
then
        echo '"DNSauth/login.c_diffs" CORRUPTED. Should be 2480 bytes'
fi
fi ; : End of overwrite check -- DNSauth/login.c_diffs
if test -f 'DNSauth/rlogind.c_diffs' -o -d 'DNSauth/rlogind.c_diffs'
then
        echo "arch: file 'DNSauth/rlogind.c_diffs' exists. Not overwritten"
else
echo 'x DNSauth/rlogind.c_diffs 3129 bytes'
sed -e 's/^X//' > DNSauth/rlogind.c_diffs << EOF\ DNSauth/rlogind.c_diffs
X*** /tmp/,RCSt1015258  Fri Sep 15 15:10:13 1989
X--- rlogind.c  Thu Feb 23 16:32:00 1989
X***************
X*** 24,29 ****
X--- 24,30 ----
X
X  #include <stdio.h>
X  #include <sys/types.h>
X+ #include <sys/param.h>
X  #include <sys/stat.h>
X  #include <sys/socket.h>
X  #include <sys/wait.h>
X***************
X*** 84,91 ****
X       int f;
X       struct sockaddr_in *fromp;
X  {
X!      int i, p, t, pid, on = 1;
X       register struct hostent *hp;
X       struct hostent hostent;
X       char c;
X
X--- 85,93 ----
X       int f;
X       struct sockaddr_in *fromp;
X  {
X!      int i, p, t, pid, on = 1, hostok = 0;
X       register struct hostent *hp;
X+      char remotehost[2 * MAXHOSTNAMELEN + 1];
X       struct hostent hostent;
X       char c;
X
X***************
X*** 95,114 ****
X               exit(1);
X       alarm(0);
X       fromp->sin_port = ntohs((u_short)fromp->sin_port);
X       hp = gethostbyaddr(&fromp->sin_addr, sizeof (struct in_addr),
X               fromp->sin_family);
X       if (hp == 0) {
X               /*
X!               * Only the name is used below.
X                */
X!              hp = &hostent;
X!              hp->h_name = inet_ntoa(fromp->sin_addr);
X       }
X       if (fromp->sin_family != AF_INET ||
X           fromp->sin_port >= IPPORT_RESERVED ||
X           fromp->sin_port < IPPORT_RESERVED/2)
X               fatal(f, "Permission denied");
X       write(f, "", 1);
X       for (c = 'p'; c <= 's'; c++) {
X               struct stat stb;
X               line = "/dev/ptyXX";
X--- 97,142 ----
X               exit(1);
X       alarm(0);
X       fromp->sin_port = ntohs((u_short)fromp->sin_port);
X+      /* set hostent (h_name) in case we need it below */
X+      hostent.h_name = inet_ntoa(fromp->sin_addr);
X       hp = gethostbyaddr(&fromp->sin_addr, sizeof (struct in_addr),
X               fromp->sin_family);
X       if (hp == 0) {
X+              hp = &hostent;
X+      } else {
X               /*
X!               * Verify that we haven't been fooled by someone; look up the
X!               * name and check that this address corresponds to the name.
X                */
X!              strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
X!              remotehost[sizeof(remotehost) - 1] = 0;
X!              if ((hp = gethostbyname(remotehost)) == NULL) {
X!                      hp = &hostent;
X!                      syslog(LOG_INFO, "Address lookup failed for %s",
X!                             remotehost);
X!              } else {
X!                      for (; hp->h_addr_list[0]; hp->h_addr_list++)
X!                              if (!bcmp(hp->h_addr_list[0],
X!                                  (caddr_t)&fromp->sin_addr,
X!                                  sizeof(fromp->sin_addr))) {
X!                                      hostok++;
X!                                      break;
X!                              }
X!                      if (!hostok) {
X!                              hp = &hostent;
X!                              syslog(LOG_NOTICE,
X!                                     "Host/Address mismatch (%s != %s)",
X!                                     remotehost, hp->h_name);
X!                      }
X!              }
X       }
X+
X       if (fromp->sin_family != AF_INET ||
X           fromp->sin_port >= IPPORT_RESERVED ||
X           fromp->sin_port < IPPORT_RESERVED/2)
X               fatal(f, "Permission denied");
X       write(f, "", 1);
X+
X       for (c = 'p'; c <= 's'; c++) {
X               struct stat stb;
X               line = "/dev/ptyXX";
X***************
X*** 150,156 ****
X               close(f), close(p);
X               dup2(t, 0), dup2(t, 1), dup2(t, 2);
X               close(t);
X!              execl("/bin/login", "login", "-r", hp->h_name, 0);
X               fatalperror(2, "/bin/login", errno);
X               /*NOTREACHED*/
X       }
X--- 178,184 ----
X               close(f), close(p);
X               dup2(t, 0), dup2(t, 1), dup2(t, 2);
X               close(t);
X!              execl("/bin/login", "login", hostok? "-r": "-R", hp->h_name, 0);
X               fatalperror(2, "/bin/login", errno);
X               /*NOTREACHED*/
X       }
EOF DNSauth/rlogind.c_diffs
if test 3129 -ne "`wc -c < 'DNSauth/rlogind.c_diffs'`"
then
        echo '"DNSauth/rlogind.c_diffs" CORRUPTED. Should be 3129 bytes'
fi
fi ; : End of overwrite check -- DNSauth/rlogind.c_diffs

------------------------------------------------------------------------------

        End of Security Digest Volume 1 Issue 33
        **********************

END OF DOCUMENT