On Tue, 2002-02-05 at 19:35, Geoffrey Lee wrote: > On Tue, Feb 05, 2002 at 04:05:15PM -0600, Bryan Paxton wrote: > > Patch against the perm.* files to handle the berkley rtools (this should have > > done back in msec 0.1). > > This also follows the policy I'm pushing for (notice in all levels none of the > > tools are allowed to be setuid). > > > > > > diff -urN msec-0.18/conf/perm.0 msec/conf/perm.0 > > --- msec-0.18/conf/perm.0 Mon Jan 28 10:25:56 2002 > > +++ msec/conf/perm.0 Tue Feb 5 15:54:49 2002 > > @@ -82,3 +82,8 @@ > > /var/log/*/. current 755 > > /var/spool/mail/ root.mail 2775 > > /var/tmp root.root 777 > > +/usr/bin/rsh root.root 755 > > > doesn't rsh need to be suid
No and yes. No, it doesn't have to be setuid for use with rsync or rdist, cvs, etc... However, if you wish to actually use rsh to facilitate the rhosts auth, yes it does need to be setuid root (same goes for ssh, if you wish to use rhost auth with it. Which should be added to the perm files as well). But you have to ask yourself a few questions... 1. Who the hell uses rhost auth anymore? 2. Being that mdk's target audience is the desktop user, are they ever going to encounter a situation where they need rhost functionality? 3. Why rsh when there's ssh? The questions could go on... But I think the only people who might actually need to rsh, would be knowledgeable enough to know how to do a 'chmod +s foo'. Like I said, ssh really doesn't need to be setuid either, unless you specifically need to use rhost auth, but refer above for all that info. This is arguable, but I think the sane and logical choice to make is to strip all these of their setuid bits. Which brings me to another topic, if ssh exists then rsh=ssh needs to be put in /etc/profile, somewhere down the road via msec. I meant to reply to this thread for that specific topic, but forgot... -- Bryan Paxton Public PGP key: http://www.deadhorse.net/bpaxton.gpg "What laughter, why joy, when constantly aflame? Enveloped in darkness, don't you look for a lamp?" Dhp. 163
