On Tue, 2002-02-05 at 22:13, Geoffrey Lee wrote: > > But you have to ask yourself a few questions... > > 1. Who the hell uses rhost auth anymore? > > 2. Being that mdk's target audience is the desktop user, are they ever > > going to encounter a situation where they need rhost functionality? > > 3. Why rsh when there's ssh? > > The questions could go on... > > But I think the only people who might actually need to rsh, would be > > knowledgeable enough to know how to do a 'chmod +s foo'. > > > > Like I said, ssh really doesn't need to be setuid either, unless you > > specifically need to use rhost auth, but refer above for all that info. > > > > This is arguable, but I think the sane and logical choice to make is to > > strip all these of their setuid bits. > > > > > That's something done in good faith, but my argument is not what you are going > to do with it but you're going to break protocol specifications if you do this. > > Anyway that my personal (biased) opinion, something done in good faith vs > what it's supposed to be like. > >
I agree with that... Time to move on though, rsh is a dead protocol IMHO (or at least it should be), but yes if you want to keep everyone happy as far as protocol specifications go, then you'll have to leave it the way it is. But, if it was my choice... I'd rather piss Theo and few others off then have users of mdk at risk of some root exploit via rsh or ssh (no there's not one out right now for the vers packaged in mdk, I'm speaking future wise). I'd actually want to not ship rsh at all, and just have tools that use rsh, use ssh instead (rsync, rdist, cvs, etc..). This brings me to another protocol : ) (I know I'm a bastard ; p) I don't think mdk should ship a telnet server either (even if it uses krb, krb is f'n weak, and has had so many holes in the past, and who knows how many the future.) Among many other tools that I don't think mdk should ship. I also have a barrage of lot of other ideas, that I will bring up after 8.2 release (not proper for right now since so close). But speaking of standards and specifications... (see next email). -- Bryan Paxton Public PGP key: http://www.deadhorse.net/bpaxton.gpg "What laughter, why joy, when constantly aflame? Enveloped in darkness, don't you look for a lamp?" Dhp. 163
