I would like to gather some opinions in regards to _very slightly_
backing off
on rexec's security.
rexec makes the following checks, and refuses to allow usage if any are
true:
uid == 0
password is blank
user is in /etc/ftpusers
I put it to everyone that the first and third checks are equivalent and
redundant. Moreover, since the first check can be done by the third
check
(and is at install time by default) without recompiling rexecd, removing
the first check results in no real loss of security, while slightly
increasing flexibility for those who have some need for it.
Yes, the r commands are deprecated. But they are still there, and I am
all
for allowing the administrator to decide to override defaults rather
than
forcing them to alter the source and recompile it.
Comments?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
