On 5 Feb 2002, Bryan Paxton wrote: > No and yes. No, it doesn't have to be setuid for use with rsync or > rdist, cvs, etc... > > However, if you wish to actually use rsh to facilitate the rhosts auth, > yes it does need to be setuid root (same goes for ssh, if you wish to > use rhost auth with it. Which should be added to the perm files as > well). > > But you have to ask yourself a few questions... > 1. Who the hell uses rhost auth anymore? > 2. Being that mdk's target audience is the desktop user, are they ever > going to encounter a situation where they need rhost functionality? > 3. Why rsh when there's ssh? > The questions could go on... > But I think the only people who might actually need to rsh, would be > knowledgeable enough to know how to do a 'chmod +s foo'. > > Like I said, ssh really doesn't need to be setuid either, unless you > specifically need to use rhost auth, but refer above for all that info. > > This is arguable, but I think the sane and logical choice to make is to > strip all these of their setuid bits.
Mandrake has done this before, but reverted to setuid ssh later. Somebody (Danen?) mentioned that Theo de Raat yell at mandrakesoft, complaining about a broken non-setuid ssh... Abel > Which brings me to another topic, if ssh exists then rsh=ssh needs to be > put in /etc/profile, somewhere down the road via msec. I meant to reply > to this thread for that specific topic, but forgot... > > >
