HPE Community
Operating System - HP-UX
1832990 Members
2458 Online
110048 Solutions
New Discussion

rexecd

 
Eric Porter
New Member

‎11-29-2001 06:22 AM

‎11-29-2001 06:22 AM

rexecd

I am using /etc/securetty to restrict root to "su" only access. Unfortunalty this does not restrict rexec access. At the moement I can not simply turn off rexecd, (as I have done for the other "r" services)... we have applications using rexec.

Does anyone have a suggestion to prevent root from using rexec, but allow other users access.

Thanks!

Eric
0 Kudos
Reply
9 REPLIES 9
Sridhar Bhaskarla
Honored Contributor

‎11-29-2001 06:42 AM

‎11-29-2001 06:42 AM

Re: rexecd

Comment out login,shell and exec from /etc/inetd.conf and restart inetd.

If you want to restrict them for specific hosts and network, try implementing /var/adm/inetd.sec restrictions.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎11-29-2001 06:42 AM

‎11-29-2001 06:42 AM

Re: rexecd

Moderate
If you don't want root to run rexec, it probably means that you don't want to allow root access between the boxen. Don't build an .rhosts equivalent for root on the other hosts-thus root can run rexec, but root won't get in.

Moderate
If you're using ACLs (you can't on older JFS) You could use an ACL to take access away from root, but (I believe) root can always change the ACL back to grant access.

Complicated
I suppose you could write a wrapper around rexec that checks for uid 0 and denies access for uid 0.

0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎11-29-2001 06:45 AM

‎11-29-2001 06:45 AM

Re: rexecd

Hi,

If you want to allow only few then make use of /var/adm/inetd.sec file

-USA..
Good Luck..
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎11-29-2001 06:47 AM

‎11-29-2001 06:47 AM

Re: rexecd

Ooops.. Didn't read your message properly.. Pls ignore it. I need a coffee...

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Eric Porter
New Member

‎11-29-2001 07:05 AM

‎11-29-2001 07:05 AM

Re: rexecd

Let me clarify my issue...

We are trying to block "rexec" for root (only). Rexec does not use ".rhosts", or host.equiv, it prompts for a user name and password.

We have already blocked, the use of rlogin, and remsh.

Using inetd.sec allows me to block by source host, but not by user.

ideas????

Thanks!

Eric
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎11-29-2001 07:17 AM

‎11-29-2001 07:17 AM

Re: rexecd

Hmmmm. Forgot about the password thing and .rhosts. Sorry.

1) use a wrapper

2) don't give folks the passwords to the other boxes.

In a nutshell, Unix is fairly bad about discretionary access; root ends up being omnipotent unless accomodations are made in software (we have some software that says "you can run as anyone but root).

If you're problem is really delegation of user privs, then use sudo, scm (service control manager), or rsam (restricted sam) so you can tell a user what they can run as root (easy), as opposed to telling root what root can't run (hard, unless the software is intrumented to do so).


0 Kudos
Reply
Anthony deRito
Respected Contributor

‎11-29-2001 07:18 AM

‎11-29-2001 07:18 AM

Re: rexecd

Eric, is it possible for you to set up a non-root user ID and provide user restrictions based on that ID? Your somewhat limitted on restricting root access... if some of your users (other admins I hope) have root access, then they can get around anything. If they do not have the knowledge to "get around anything" then what do they need root access for? I don't mean to question your policies but I just wanted to understand more about your issue...

Tony
0 Kudos
Reply
Steven Gillard_2
Honored Contributor

‎11-29-2001 08:44 AM

‎11-29-2001 08:44 AM

Re: rexecd

In following with the wrapper idea, you could download GNU's inetutils package. Then you have the source for rexecd.c to which you could add a few lines just after the call to endpwent() :

if (*pwd->pw_uid == 0) {
error("Login incorrect\n");
exit(1);
}

Then compile and edit inetd.conf so that the GNU daemon is run instead of the default HPUX rexecd. I've done similar things many times before... the only drawback is you now have a rexecd that is not supported by HP which may be a problem for you.

Regards,
Steve
0 Kudos
Reply
Steven Gillard_2
Honored Contributor

‎11-29-2001 08:53 AM

‎11-29-2001 08:53 AM

Re: rexecd

oops, get rid of that *:

if (pwd->pw_uid == 0) {

Cheers,
Steve
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.