topic Re: rexecd in Operating System - HP-UX

rexecd

Eric Porter — Thu, 29 Nov 2001 14:22:21 GMT

I am using /etc/securetty to restrict root to "su" only access. Unfortunalty this does not restrict rexec access. At the moement I can not simply turn off rexecd, (as I have done for the other "r" services)... we have applications using rexec.

Does anyone have a suggestion to prevent root from using rexec, but allow other users access.

Thanks!

Eric

Re: rexecd

Sridhar Bhaskarla — Thu, 29 Nov 2001 14:42:08 GMT

Comment out login,shell and exec from /etc/inetd.conf and restart inetd.

If you want to restrict them for specific hosts and network, try implementing /var/adm/inetd.sec restrictions.

-Sri

Re: rexecd

Christopher Caldwell — Thu, 29 Nov 2001 14:42:19 GMT

Moderate
If you don't want root to run rexec, it probably means that you don't want to allow root access between the boxen. Don't build an .rhosts equivalent for root on the other hosts-thus root can run rexec, but root won't get in.

Moderate
If you're using ACLs (you can't on older JFS) You could use an ACL to take access away from root, but (I believe) root can always change the ACL back to grant access.

Complicated
I suppose you could write a wrapper around rexec that checks for uid 0 and denies access for uid 0.

Re: rexecd

Uday_S_Ankolekar — Thu, 29 Nov 2001 14:45:17 GMT

Hi,

If you want to allow only few then make use of /var/adm/inetd.sec file

-USA..

Re: rexecd

Sridhar Bhaskarla — Thu, 29 Nov 2001 14:47:47 GMT

Ooops.. Didn't read your message properly.. Pls ignore it. I need a coffee...

-Sri

Re: rexecd

Eric Porter — Thu, 29 Nov 2001 15:05:32 GMT

Let me clarify my issue...

We are trying to block "rexec" for root (only). Rexec does not use ".rhosts", or host.equiv, it prompts for a user name and password.

We have already blocked, the use of rlogin, and remsh.

Using inetd.sec allows me to block by source host, but not by user.

ideas????

Thanks!

Eric

Re: rexecd

Christopher Caldwell — Thu, 29 Nov 2001 15:17:26 GMT

Hmmmm. Forgot about the password thing and .rhosts. Sorry.

1) use a wrapper

2) don't give folks the passwords to the other boxes.

In a nutshell, Unix is fairly bad about discretionary access; root ends up being omnipotent unless accomodations are made in software (we have some software that says "you can run as anyone but root).

If you're problem is really delegation of user privs, then use sudo, scm (service control manager), or rsam (restricted sam) so you can tell a user what they can run as root (easy), as opposed to telling root what root can't run (hard, unless the software is intrumented to do so).

Re: rexecd

Anthony deRito — Thu, 29 Nov 2001 15:18:43 GMT

Eric, is it possible for you to set up a non-root user ID and provide user restrictions based on that ID? Your somewhat limitted on restricting root access... if some of your users (other admins I hope) have root access, then they can get around anything. If they do not have the knowledge to "get around anything" then what do they need root access for? I don't mean to question your policies but I just wanted to understand more about your issue...

Tony

Re: rexecd

Steven Gillard_2 — Thu, 29 Nov 2001 16:44:24 GMT

In following with the wrapper idea, you could download GNU's inetutils package. Then you have the source for rexecd.c to which you could add a few lines just after the call to endpwent() :

if (*pwd->pw_uid == 0) {
error("Login incorrect\n");
exit(1);
}

Then compile and edit inetd.conf so that the GNU daemon is run instead of the default HPUX rexecd. I've done similar things many times before... the only drawback is you now have a rexecd that is not supported by HP which may be a problem for you.

Regards,
Steve

Re: rexecd

Steven Gillard_2 — Thu, 29 Nov 2001 16:53:42 GMT

oops, get rid of that *:

if (pwd->pw_uid == 0) {

Cheers,
Steve