How to disable .rhosts

How to disable .rhosts

Post by Ray Wadm » Thu, 15 Jan 1998 04:00:00



Does anyone know how to disable .rhosts files with fully disabling
rsh/rlogin.

i was able to diable .rhosts but rsh/rlogin also failed to work.
any suggestions would be welcome.

thanks


--

Quote:>-------------------------------------------------------------------<

Ray Wadman
Systems Programmer, Communications Group
Computing & Communications
Memorial University of Newfoundland
 
 
 

How to disable .rhosts

Post by raph.. » Fri, 16 Jan 1998 04:00:00


Install W.Z. Venema's tcp_wrappers & logdaemon packages.
You then have r*d daemons that ignore ~/.rhosts files.

 
 
 

How to disable .rhosts

Post by The New Number T » Fri, 16 Jan 1998 04:00:00


: Does anyone know how to disable .rhosts files with fully disabling
: rsh/rlogin.

: i was able to diable .rhosts but rsh/rlogin also failed to work.
: any suggestions would be welcome.

: thanks


you could place an empty root-owned, chmod 600 file called .rhosts in
each user's home directory. that way, there would already be a .rhosts
file there that the user could not edit or remove.

( =--
 Ben                               |     :Speed:

 http://www.veryComputer.com/~brunning | .FlyingSaucers.
 - How to*with a Macintosh: www.machacks.com -
                                                --= )

 
 
 

How to disable .rhosts

Post by Carl Brewe » Fri, 16 Jan 1998 04:00:00




> : Does anyone know how to disable .rhosts files with fully disabling
> : rsh/rlogin.

> : i was able to diable .rhosts but rsh/rlogin also failed to work.
> : any suggestions would be welcome.

> : thanks


> you could place an empty root-owned, chmod 600 file called .rhosts in
> each user's home directory. that way, there would already be a .rhosts
> file there that the user could not edit or remove.

Except that you can delete it as an ordinary user

[oversteer]/export/home/carl{1} : mkdir foo
[oversteer]/export/home/carl{2} : cd foo
[oversteer]/export/home/carl/foo{3} : l
total 6
drwx------   2 carl     staff        512 Jan 15 17:26 .
drwx------  23 carl     other       1536 Jan 15 17:26 ..
[oversteer]/export/home/carl/foo{4} : su
Password:
# touch .rhosts
# exit
[oversteer]/export/home/carl/foo{5} : l
total 6
drwx------   2 carl     staff        512 Jan 15 17:27 .
drwx------  23 carl     other       1536 Jan 15 17:26 ..
-rw-------   1 root     other          0 Jan 15 17:27 .rhosts
[oversteer]/export/home/carl/foo{6} : rm .rhosts
rm: .rhosts: override protection 600 (yes/no)? y
[oversteer]/export/home/carl/foo{7} : l
total 6
drwx------   2 carl     staff        512 Jan 15 17:27 .
drwx------  23 carl     other       1536 Jan 15 17:26 ..
[oversteer]/export/home/carl/foo{8} :                    

Remember, root may own the file, but the user owns the directory
listing (file), and can do what they want to it. Read those
basic UNIX books again :) (and test anything before you claim it's
a solution, it's a bummer to be wrong in public :) )

To deal with .rhosts, you need to hack the code for it.  Under SunOS,
it wasn't too hard to make Berkeley r**** compile, and of course,
change its behaviour accordingly.  It's probably possible to
compile it under Solaris 2, but I imagine it's a bit harder :)

Does PAM offer a less-fun solution?

 
 
 

How to disable .rhosts

Post by Casper H.S. Dik - Network Security Engine » Fri, 16 Jan 1998 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


>Does anyone know how to disable .rhosts files with fully disabling
>rsh/rlogin.
>i was able to diable .rhosts but rsh/rlogin also failed to work.
>any suggestions would be welcome.

In 2.6, you only need to edit /etc/pam.conf (though this will also
disable /etc/hosst..equiv)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

How to disable .rhosts

Post by Peter Shanke » Fri, 16 Jan 1998 04:00:00




> : Does anyone know how to disable .rhosts files with fully disabling
> : rsh/rlogin.

> : i was able to diable .rhosts but rsh/rlogin also failed to work.
> : any suggestions would be welcome.

> : thanks


> you could place an empty root-owned, chmod 600 file called .rhosts in
> each user's home directory. that way, there would already be a .rhosts
> file there that the user could not edit or remove.

> ( =--
>  Ben                               |     :Speed:

>  http://www.veryComputer.com/~brunning | .FlyingSaucers.
>  - How to*with a Macintosh: www.machacks.com -
>                                                 --= )

good tip
--
thanks  
  Pete ;)

(803) 723-6785
 
 
 

How to disable .rhosts

Post by bruno raoul » Fri, 16 Jan 1998 04:00:00




> : Does anyone know how to disable .rhosts files with fully disabling
> : rsh/rlogin.
> : i was able to diable .rhosts but rsh/rlogin also failed to work.
> : any suggestions would be welcome.
> : thanks

> you could place an empty root-owned, chmod 600 file called .rhosts in
> each user's home directory. that way, there would already be a .rhosts
> file there that the user could not edit or remove.

This does not work, until the users's home directories belong also to
root (which causes many other problems), as, with your solutions, users
will be able to remove their .rhosts (600 access mode does not prevent
a file to be deleted!!)...

--
"Is that all?" asked Alice.
"That is all." said Humpty Dumpty. "Goodbye." -- Lewis Carrol
-----
Bruno Raoult - sysadmin      |  These opinions are my own. They do

phone:+33 (1) 42 13 45 19    |  my employer, Societe Generale.

 
 
 

How to disable .rhosts

Post by Lars Balker Rasmusse » Fri, 16 Jan 1998 04:00:00




> : Does anyone know how to disable .rhosts files with fully disabling
> : rsh/rlogin.

> you could place an empty root-owned, chmod 600 file called .rhosts in
> each user's home directory. that way, there would already be a .rhosts
> file there that the user could not edit or remove.

No, but this would work:

su -
cd /user/dir
rm .rhosts
mkdir .rhosts
chmod 700 .rhosts

Let's see the user get rid of that one.
--
Lars Balker Rasmussen, Software Engineer, Mjolner Informatics ApS

 
 
 

How to disable .rhosts

Post by Pete Glassco » Fri, 16 Jan 1998 04:00:00



Quote:

>su -
>cd /user/dir
>rm .rhosts
>mkdir .rhosts
>chmod 700 .rhosts

>Let's see the user get rid of that one.

: peg20 ~; su
Password:
# cd /export/home/peg20
# mkdir .rhosts
# chmod 700 .rhosts
# : peg20 ~; ls -ld .rhosts
drwx------   2 root     other        512 Jan 15 13:25 .rhosts
: peg20 ~; rmdir .rhosts
: peg20 ~; ls -ld .rhosts
.rhosts: No such file or directory
: peg20 ~;

--
We can pretend O' is an inertial frame by
introducing these fictitious forces <(.)>

 
 
 

How to disable .rhosts

Post by Peter C. Tribb » Fri, 16 Jan 1998 04:00:00






>> : Does anyone know how to disable .rhosts files with fully disabling
>> : rsh/rlogin.

>> you could place an empty root-owned, chmod 600 file called .rhosts in
>> each user's home directory. that way, there would already be a .rhosts
>> file there that the user could not edit or remove.

> No, but this would work:

> su -
> cd /user/dir
> rm .rhosts
> mkdir .rhosts
> chmod 700 .rhosts

> Let's see the user get rid of that one.

rmdir!

if you put a root owned file in there then the rmdir will fail, but the
user can still move it out of the way.

The user has control of their home directory, and will be able to
manipulate files placed there. Still, at least it prevents completely
clueless idiots from creating a .rhosts file.

--
-Peter Tribble
HGMP Computing Services
http://www.hgmp.mrc.ac.uk/~ptribble/

 
 
 

How to disable .rhosts

Post by Lars Balker Rasmusse » Fri, 16 Jan 1998 04:00:00





> > Let's see the user get rid of that one.

> rmdir!

> if you put a root owned file in there then the rmdir will fail, but the
> user can still move it out of the way.

> The user has control of their home directory, and will be able to
> manipulate files placed there. Still, at least it prevents completely
> clueless idiots from creating a .rhosts file.

Duh!  I only tested "rm -rf"  ;-)

Oh well.
--
Lars Balker Rasmussen, Software Engineer, Mjolner Informatics ApS

 
 
 

How to disable .rhosts

Post by Casper H.S. Dik - Network Security Engine » Fri, 16 Jan 1998 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]




>> : Does anyone know how to disable .rhosts files with fully disabling
>> : rsh/rlogin.

>> you could place an empty root-owned, chmod 600 file called .rhosts in
>> each user's home directory. that way, there would already be a .rhosts
>> file there that the user could not edit or remove.
>No, but this would work:
>su -
>cd /user/dir
>rm .rhosts
>mkdir .rhosts
>chmod 700 .rhosts
>Let's see the user get rid of that one.

rmdir will get rid of that.

You need to touch .rhosts/somefile too but then they can still rename
it.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

How to disable .rhosts

Post by bruno raoul » Fri, 16 Jan 1998 04:00:00





> > : Does anyone know how to disable .rhosts files with fully disabling
> > : rsh/rlogin.

> No, but this would work:
> su -
> cd /user/dir
> rm .rhosts
> mkdir .rhosts
> chmod 700 .rhosts
> Let's see the user get rid of that one.

Easily!! As the user can access his own directory, he may remove the
subdirectory. The 700 access mode does not prevent him to remove the
.rhosts directory itself, it just prevents the user to create a file
*inside* the .rhosts directory.

--
"Is that all?" asked Alice.
"That is all." said Humpty Dumpty. "Goodbye." -- Lewis Carrol
-----
Bruno Raoult - sysadmin      |  These opinions are my own. They do

phone:+33 (1) 42 13 45 19    |  my employer, Societe Generale.

 
 
 

How to disable .rhosts

Post by Ian G Batte » Fri, 16 Jan 1998 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----



Quote:> su -
> cd /user/dir
> rm .rhosts
> mkdir .rhosts
> chmod 700 .rhosts

> Let's see the user get rid of that one.

Why do you think rmdir .rhosts won't work for the user?  Unless
/user/dir is owned by root, the user can delete anything created in
there, whomever it's owned by.

ian

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQB1AwUBNL4IH8oy0yij3IvtAQEsmwMA2y96sIbS7DdiysahIo0qZQs+Ph1ieS0d
pdosohcxNJpzQ5+99G1Jg1x4ZGNqbNSvWuwWUTmJ+RoDStMWxZIFXBGFSPCb5ZKZ
f8ItW4Fu/JYgqnLXHKFKE1BkpRjje10q
=vQYs
-----END PGP SIGNATURE-----

 
 
 

How to disable .rhosts

Post by P » Fri, 16 Jan 1998 04:00:00



:-->>

:-->>
:-->> : Does anyone know how to disable .rhosts files with fully disabling
:-->> : rsh/rlogin.
:-->>
:-->> : i was able to diable .rhosts but rsh/rlogin also failed to work.
:-->> : any suggestions would be welcome.
:-->>
:-->> : thanks
:-->>

:-->>
:-->> you could place an empty root-owned, chmod 600 file called .rhosts in
:-->> each user's home directory. that way, there would already be a .rhosts
:-->> file there that the user could not edit or remove.

:-->Except that you can delete it as an ordinary user

:-->[oversteer]/export/home/carl{1} : mkdir foo
:-->[oversteer]/export/home/carl{2} : cd foo
:-->[oversteer]/export/home/carl/foo{3} : l
:-->total 6
:-->drwx------   2 carl     staff        512 Jan 15 17:26 .
:-->drwx------  23 carl     other       1536 Jan 15 17:26 ..
:-->[oversteer]/export/home/carl/foo{4} : su
:-->Password:
:--># touch .rhosts
:--># exit
:-->[oversteer]/export/home/carl/foo{5} : l
:-->total 6
:-->drwx------   2 carl     staff        512 Jan 15 17:27 .
:-->drwx------  23 carl     other       1536 Jan 15 17:26 ..
:-->-rw-------   1 root     other          0 Jan 15 17:27 .rhosts
:-->[oversteer]/export/home/carl/foo{6} : rm .rhosts
:-->rm: .rhosts: override protection 600 (yes/no)? y
:-->[oversteer]/export/home/carl/foo{7} : l
:-->total 6
:-->drwx------   2 carl     staff        512 Jan 15 17:27 .
:-->drwx------  23 carl     other       1536 Jan 15 17:26 ..
:-->[oversteer]/export/home/carl/foo{8} :                    

:-->Remember, root may own the file, but the user owns the directory
:-->listing (file), and can do what they want to it. Read those
:-->basic UNIX books again :) (and test anything before you claim it's
:-->a solution, it's a bummer to be wrong in public :) )

Ok, how about this:

01/15/1998{288}/home/foo/9:23:su
Password:
# mkdir .rhoststest [I didn't want to wipe out my .rhosts]
# touch .rhoststest/.rhosts
# ls -ld .rhoststest .rhoststest/.rhosts
drwx------   2 root     other        512 Jan 15 09:24 .rhoststest
-rw-------   1 root     other          0 Jan 15 09:24 .rhoststest/.rhosts
# exit
01/15/1998{289}/home/foo/9:24:rmdir .rhoststest
rmdir: directory ".rhoststest": Directory not empty
01/15/1998{290}/home/foo/9:24:cd .rhoststest
.rhoststest: Permission denied.
01/15/1998{291}/home/foo/9:24:rm .rhoststest/.rhosts
.rhoststest/.rhosts: Permission denied
[wait, what about rm -rf?]
01/15/1998{292}/home/foo/9:24:rm -rf .rhoststest
rm: cannot read directory .rhoststest: Permission denied
01/15/1998{293}/home/foo/9:27:rm -rf .rhoststest/.rhosts
01/15/1998{294}/home/foo/9:34:rmdir .rhoststest
rmdir: directory ".rhoststest": Directory not empty
01/15/1998{295}/home/foo/9:35:su
Password:
# cd .rhoststest
# ls -a
.        ..       .rhosts

:-->To deal with .rhosts, you need to hack the code for it.  Under SunOS,
:-->it wasn't too hard to make Berkeley r**** compile, and of course,
:-->change its behaviour accordingly.  It's probably possible to
:-->compile it under Solaris 2, but I imagine it's a bit harder :)

:-->Does PAM offer a less-fun solution?
--
no signature file