Brandon S. Allbery KF8NH writes ("Re: Capabilities "):
> In message <E12Iwlj-0004MM-00@taurus.cus.cam.ac.uk>, Peter Benie writes:
> | If you can bind to low numbered ports, you can fake credentials for
> | rsh or rlogin. From there, you can get to root on many machines
>
> I can do that from a Windows PC, if necessary spoofing packets from a
> legitimate host. So?
>
> Anyone who doesn't disable or severely restrict the r-commands is begging
> for trouble: *they* are the security holes here, not CNBS.
I wish people would keep repeating that argument. There are plenty of
environments where the r-utilities are perfectly safe, such as between
hosts in a machine room, where the room has a lock, a burglar alarm,
and random people can't just plug PCs into the network.
Peter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Feb 15 2000 - 21:00:20 EST