HPE Community
Operating System - HP-UX
1821540 Members
2168 Online
109633 Solutions
New Discussion юеВ

.rhosts file permissions

 
Scott E Smith
Frequent Advisor

тАО11-07-2000 01:45 PM

тАО11-07-2000 01:45 PM

.rhosts file permissions

It has been suggested that we change the permissions on all of our .rhosts files to being owned by root and permissions of 644. The .rhosts man page says that "the .rhost file must be owned by the user who's home directory it is in." Is this the case? I searched the forum and did not see a similar issue. Thanks.
0 Kudos
Reply
10 REPLIES 10
Rita C Workman
Honored Contributor

тАО11-07-2000 01:50 PM

тАО11-07-2000 01:50 PM

Re: .rhosts file permissions

The purpose of .rhosts is to give rlogin capability from one box to another without the hassle of passwords....seamless. So yes, the .rhosts file should be owned by the user and should be in their home directory.
For root it would be in roots 'home' directory, which is /

If you want to read more on this take a look for .rhosts info in the Installing and Administering Internet Services Manual as well as in the System Administration Tasks (these are the HP manuals)....these are just 2 places...

rcw
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО11-07-2000 01:52 PM

тАО11-07-2000 01:52 PM

Re: .rhosts file permissions

For the .rhosts that belong to individual users, you are correct. The permissions will allow only the owner to have write permissions. This includes the root acct as well.

The .rhosts file for root will be owned by root and have 644. The .rhosts for user1 will be owned by user1 and have permissions of 644.

For the root, you may want to remove the read access for all other users. Anyone can read the file and see what the trusted systems in the network are.
0 Kudos
Reply
Alan Riggs
Honored Contributor

тАО11-07-2000 02:48 PM

тАО11-07-2000 02:48 PM

Re: .rhosts file permissions

.rhosts files should really have permisisons 400 or 600, IMO. Anything else is a security risk.
0 Kudos
Reply
Tom Danzig
Honored Contributor

тАО11-07-2000 03:13 PM

тАО11-07-2000 03:13 PM

Re: .rhosts file permissions

I agree with Alan. .rhosts permissions should be 400 (owned by the user). This minimizes the risk of anyone (even spoofing the users identity) from modifying it.

Also, the file should exist (even if empty). This prevents someone from creating it with thier own prefered entries.
0 Kudos
Reply
Philip Chan_1
Respected Contributor

тАО11-07-2000 07:02 PM

тАО11-07-2000 07:02 PM

Re: .rhosts file permissions


In some big firms especially with the banking/finance industries, they prefer to prohibit or control remote access to their servers. By assigning your .rhosts ownership to root that I think someone from your company/organization (perhaps the security officers) is trying to control the list of external users who can remote control your account.

By controlling individual .rhosts, I guess the security weaknesses of a server will not be exposed OUTSIDE the box.

Let say if you as an user for a highly sensitive server, granted remote access ability to another user in another box which isn't secured, then your account in the sensitive server will become a security loop hole for the hackers.

Just my 2 cents.

Regards,
Philip
0 Kudos
Reply
Dan Hetzel
Honored Contributor

тАО11-08-2000 12:03 AM

тАО11-08-2000 12:03 AM

Re: .rhosts file permissions

Hi,

Here are my $0.02...

Permissions should be either 644 (owner=root)
or 600 (owner=user in user homedir, owner=root in /)

If permission is set to 600, owner=root in a home dir, the file won't be readable by anybody but root and would be useless.

As Philip said, setting the ownership to root and preventing a user to modify the .rhosts file is a way to control who may login and from which box. It's a lot more secure than allowing a user to widely open doors into a system.

Dan


Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
0 Kudos
Reply
Lasse Knudsen
Esteemed Contributor

тАО11-08-2000 12:08 AM

тАО11-08-2000 12:08 AM

Re: .rhosts file permissions

You might have problem if your .rhosts file are on a NFS-mounted drive and you change the right to 0400 and 'root' ownership. That is if you have not 'root exported' your filesystem (which I hope you have not :-)

Just a thought
In a world without fences - who needs Gates ?
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

тАО11-09-2000 07:21 AM

тАО11-09-2000 07:21 AM

Re: .rhosts file permissions

I might be misunderstanding something but creating a
.rhosts file that is owned by root in the users directory
does NOT buy anything. Althought this prevents the
user from making modifications to the existing file, this
does NOT prevent them from deleting the .rhosts file
altogether and replacing it with their own .rhosts file.
In order to prevent this, you would have to turn on the
sticky bit on their home directory (the 't' permission).
This would prevent anyone other than the owner of the
file from deleting the file.

So you would have to set the permissions on the user's
home directory as follows:
rwxr-xr-t
and then create the .rhosts files in their home directory.

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Tom Danzig
Honored Contributor

тАО11-09-2000 07:48 AM

тАО11-09-2000 07:48 AM

Re: .rhosts file permissions

In highly secure environments, the use of .rhosts by users can be denied by specifying the -l option to remshd and rlogind in /etc/inetd.conf.
0 Kudos
Reply
Darren Miller
Advisor

тАО11-09-2000 09:24 AM

тАО11-09-2000 09:24 AM

Re: .rhosts file permissions

Scott,

.rhosts should have 400 or 600 permissions, and be owned by the user. Some administrators change the ownership to root to prevent users from modifying their .rhosts file. This gives a false sense of security, though. Since users almost always have "w" permission on their home directory, they could simply remove the file and recreate it with whatever owner/permissions they choose, regardless of the ownership/permissions on the original file.

Here's a much better approach to preventing users from configuring .rhosts inappropriately: add a "-l" option on the end of the "login" and "shell" lines in /etc/inetd.conf, then type "inetd -c". The "-l" option tells HPUX to ignore regular users' .rhosts files even if they exist. Root's .rhosts file is still honored, however. Then, if you want to allow remsh/rlogin/rcp access for selected users, add them to the /etc/hosts.equiv file (eg: "hosta user1" allows user1 password free access from hosta).

Of course, if you are REALLY serious about security, you should disable the Berkeley services altogether and use ssh (www.openssh.org) instead.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.