HPE Community
Operating System - HP-UX
1833016 Members
2260 Online
110048 Solutions
New Discussion

Re: rexec

 
SOLVED
Go to solution
Ed Watson_1
New Member

‎06-06-2003 10:18 AM

‎06-06-2003 10:18 AM

rexec

I am trying to set up our system so that nobody can directly login to root. Rather, I want them to use their assigned userid and then su to root. To that end I created /etc/securetty and placed "console" (without the quotes) in the file. This works fine except when it comes to rexec. It seems you can directly login to the system as root if you use rexec. Is there any way to prevent this?
0 Kudos
Reply
13 REPLIES 13
Robert-Jan Goossens
Honored Contributor

‎06-06-2003 10:25 AM

‎06-06-2003 10:25 AM

Re: rexec

Hi,

Have you got a .rhosts file in home dir of root ?

Robert-Jan.
0 Kudos
Reply
Umapathy S
Honored Contributor

‎06-06-2003 10:29 AM

‎06-06-2003 10:29 AM

Re: rexec

If I understood your question correctly then,

rexec, remsh all will take the current $LOGNAME and tries to login to the remote system with that username. If you are a non-root user in the local machine, you cannot login as root in the remote machine.

Can you tell exactly what you did to come to this conclusion?

HTH,
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
0 Kudos
Reply
Elena Leontieva
Esteemed Contributor

‎06-06-2003 10:31 AM

‎06-06-2003 10:31 AM

Solution

Re: rexec

I found this info, not sure it is current thouh ...
Problem Text

CR# JAGad96327
problem
There is no way to prevent the login as 'root' using 'rexec' provided
that the root passwd is given properly. Using 'remsh' a user 'root' can
diasble the loging as 'root' by not giving the .rhosts entry. But for
rexec no mechanism as such.

Fix Text

fix
New option -S is added to rexecd for this ER.

This fix will be available to all customers from 11.23 release.

Fixed binary has been provided on,
11.00
11.11

Available at ftp://jog.india.hp.com/pub/Inetsvcs/R-
COMMANDS/Binaries/rexec/JAGad96327/

Reply
Ed Watson_1
New Member

‎06-06-2003 10:32 AM

‎06-06-2003 10:32 AM

Re: rexec

Yes, I do have an .rhosts in /root. I renamed it to see what would happen and it did not seem to have an effect.
0 Kudos
Reply
Ed Watson_1
New Member

‎06-06-2003 10:42 AM

‎06-06-2003 10:42 AM

Re: rexec

Umapathy S,

To answer your question, if console is the only device specified in /etc/securetty, then if you are root on the local machine then you cannot telnet, rlogin, etc. to the remote machine. At least that is the way I understand it. Instead, you would have to use your own userid to get in, then su to root. This has proven to be the case for all methods except rexec.
0 Kudos
Reply
Umapathy S
Honored Contributor

‎06-06-2003 10:48 AM

‎06-06-2003 10:48 AM

Re: rexec

Now understood the problem.

thanks Ed.

cheers
Umapathy
Arise Awake and Stop NOT till the goal is Reached!
Reply
Bill Douglass
Esteemed Contributor

‎06-06-2003 11:26 AM

‎06-06-2003 11:26 AM

Re: rexec

Despite indications from the rexecd man page, rexecd does in fact call pam modules as configured in pam.conf. While I am no expect on writing pam modules, it should be possible to put together a custom module that checks for root in an rcomd login and rejects the request.

Here is the debug output from rexecd:

Jun 6 09:17:01 sara rexecd[8152]: unix pam_sm_authenticate(rcomds root), flags = 0
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: -1 12209
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: flags 0x0
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: -1 -1 -1
Jun 6 09:17:01 sara rexecd[8152]: warn_user_passwd_will_expire: -1 -1 12209 -1
Jun 6 09:17:01 sara rexecd[8152]: pam_sm_acct_mgmt: 0 0 root
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_acct_mgmt: error 0
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_acct_mgmt: exiting, error 0
Jun 6 09:17:02 sara rexecd[8152]: pam_sm_setcred(): no module data
0 Kudos
Reply
Ed Watson_1
New Member

‎06-06-2003 12:22 PM

‎06-06-2003 12:22 PM

Re: rexec

Elena,

Thanks for your response. I think you are on to something. Unfortunately I cannot locate this fix on the hp.com website nor can I get to the FTP site you referenced. Also, we are running 11.11, so I was hoping the fix was already in place. I put the -S option in the /etc/inetd.conf file on the rexecd line, but it did not correct the problem. So I am assuming I need to get the patch. I'll keep looking.
0 Kudos
Reply
John Dvorchak
Honored Contributor

‎06-06-2003 12:28 PM

‎06-06-2003 12:28 PM

Re: rexec

Just my two cents worth and it would disable rexec for every user, not just root. Comment out the entry "exec" in /etc/inetd.conf, then issue inetd -c to refresh inetd.

#bootps dgram udp wait root /usr/lbin/bootpd bootpd
#finger stream tcp nowait bin /usr/lbin/fingerd fingerd
login stream tcp nowait root /usr/lbin/rlogind rlogind
shell stream tcp nowait root /usr/lbin/remshd remshd
#exec stream tcp nowait root /usr/lbin/rexecd rexecd
#uucp stream tcp nowait root /usr/sbin/uucpd uucpd
If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
Elena Leontieva
Esteemed Contributor

‎06-06-2003 12:41 PM

‎06-06-2003 12:41 PM

Re: rexec

Ed,

There is a PHNE_27777 s700_800 11.11 r-commands cumulative mega-patch.

Elena.

0 Kudos
Reply
Ed Watson_1
New Member

‎06-06-2003 01:59 PM

‎06-06-2003 01:59 PM

Re: rexec

Elena,

I installed the PHNE_27777 patch, but still no luck.
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎06-07-2003 01:09 AM

‎06-07-2003 01:09 AM

Re: rexec

Would go for John's advise and disable
rexecd in inetd.conf.I've faced simmilar
problem with rexec & inetd.sec when was doing
rexec from my ReflectionX (term application) to
hp-ux host.I was allowed to "rexec hpterm" despite inetd.sec lines.
As to Elena's response - hp aware of rexec issues and plan to release some sort of a fix.
So Elena posted some Jagxxxx that comes from
Hp sites.
For more secure needs though I'd go for IPfilter.
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
Zeev Schultz
Honored Contributor

‎06-07-2003 11:51 PM

‎06-07-2003 11:51 PM

Re: rexec

Sorry,last one was related to /etc/securetty
and not /var/adm/inetd.sec.Please contact HPRC
for updated rexecd or disable it at all.

Zeev
So computers don't think yet. At least not chess computers. - Seymour Cray
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.