topic Re: rexec in Operating System - HP-UX

rexec

Ed Watson_1 — Fri, 06 Jun 2003 17:18:12 GMT

I am trying to set up our system so that nobody can directly login to root. Rather, I want them to use their assigned userid and then su to root. To that end I created /etc/securetty and placed "console" (without the quotes) in the file. This works fine except when it comes to rexec. It seems you can directly login to the system as root if you use rexec. Is there any way to prevent this?

Re: rexec

Robert-Jan Goossens — Fri, 06 Jun 2003 17:25:48 GMT

Hi,

Have you got a .rhosts file in home dir of root ?

Robert-Jan.

Re: rexec

Umapathy S — Fri, 06 Jun 2003 17:29:28 GMT

If I understood your question correctly then,

rexec, remsh all will take the current $LOGNAME and tries to login to the remote system with that username. If you are a non-root user in the local machine, you cannot login as root in the remote machine.

Can you tell exactly what you did to come to this conclusion?

HTH,
Umapathy

Re: rexec

Elena Leontieva — Fri, 06 Jun 2003 17:31:18 GMT

I found this info, not sure it is current thouh ...
Problem Text

CR# JAGad96327
problem
There is no way to prevent the login as 'root' using 'rexec' provided
that the root passwd is given properly. Using 'remsh' a user 'root' can
diasble the loging as 'root' by not giving the .rhosts entry. But for
rexec no mechanism as such.

Fix Text

fix
New option -S is added to rexecd for this ER.

This fix will be available to all customers from 11.23 release.

Fixed binary has been provided on,
11.00
11.11

Available at ftp://jog.india.hp.com/pub/Inetsvcs/R-
COMMANDS/Binaries/rexec/JAGad96327/

Re: rexec

Ed Watson_1 — Fri, 06 Jun 2003 17:32:07 GMT

Yes, I do have an .rhosts in /root. I renamed it to see what would happen and it did not seem to have an effect.

Re: rexec

Ed Watson_1 — Fri, 06 Jun 2003 17:42:35 GMT

Umapathy S,

To answer your question, if console is the only device specified in /etc/securetty, then if you are root on the local machine then you cannot telnet, rlogin, etc. to the remote machine. At least that is the way I understand it. Instead, you would have to use your own userid to get in, then su to root. This has proven to be the case for all methods except rexec.

Re: rexec

Umapathy S — Fri, 06 Jun 2003 17:48:18 GMT

Now understood the problem.

thanks Ed.

cheers
Umapathy

Re: rexec

Bill Douglass — Fri, 06 Jun 2003 18:26:42 GMT

Despite indications from the rexecd man page, rexecd does in fact call pam modules as configured in pam.conf. While I am no expect on writing pam modules, it should be possible to put together a custom module that checks for root in an rcomd login and rejects the request.

Here is the debug output from rexecd:

Jun 6 09:17:01 sara rexecd[8152]: unix pam_sm_authenticate(rcomds root), flags = 0
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: -1 12209
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: flags 0x0
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: -1 -1 -1
Jun 6 09:17:01 sara rexecd[8152]: warn_user_passwd_will_expire: -1 -1 12209 -1
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: 0 0 root
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_acct_mgmt: error 0
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_acct_mgmt: exiting, error 0
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_setcred(): no module data

Re: rexec

Ed Watson_1 — Fri, 06 Jun 2003 19:22:25 GMT

Elena,

Thanks for your response. I think you are on to something. Unfortunately I cannot locate this fix on the hp.com website nor can I get to the FTP site you referenced. Also, we are running 11.11, so I was hoping the fix was already in place. I put the -S option in the /etc/inetd.conf file on the rexecd line, but it did not correct the problem. So I am assuming I need to get the patch. I'll keep looking.

Re: rexec

John Dvorchak — Fri, 06 Jun 2003 19:28:55 GMT

Just my two cents worth and it would disable rexec for every user, not just root. Comment out the entry "exec" in /etc/inetd.conf, then issue inetd -c to refresh inetd.

#bootps dgram udp wait root /usr/lbin/bootpd bootpd
#finger stream tcp nowait bin /usr/lbin/fingerd fingerd
login stream tcp nowait root /usr/lbin/rlogind rlogind
shell stream tcp nowait root /usr/lbin/remshd remshd
#exec stream tcp nowait root /usr/lbin/rexecd rexecd
#uucp stream tcp nowait root /usr/sbin/uucpd uucpd

Re: rexec

Elena Leontieva — Fri, 06 Jun 2003 19:41:43 GMT

Ed,

There is a PHNE_27777 s700_800 11.11 r-commands cumulative mega-patch.

Elena.

Re: rexec

Ed Watson_1 — Fri, 06 Jun 2003 20:59:14 GMT

Elena,

I installed the PHNE_27777 patch, but still no luck.

Re: rexec

Zeev Schultz — Sat, 07 Jun 2003 08:09:19 GMT

Would go for John's advise and disable
rexecd in inetd.conf.I've faced simmilar
problem with rexec & inetd.sec when was doing
rexec from my ReflectionX (term application) to
hp-ux host.I was allowed to "rexec hpterm" despite inetd.sec lines.
As to Elena's response - hp aware of rexec issues and plan to release some sort of a fix.
So Elena posted some Jagxxxx that comes from
Hp sites.
For more secure needs though I'd go for IPfilter.

Re: rexec

Zeev Schultz — Sun, 08 Jun 2003 06:51:02 GMT

Sorry,last one was related to /etc/securetty
and not /var/adm/inetd.sec.Please contact HPRC
for updated rexecd or disable it at all.

Zeev