diff options
| author | Simon Biewald <simon@fam-biewald.de> | 2020-06-20 18:08:56 +0300 |
|---|---|---|
| committer | Simon Biewald <simon@fam-biewald.de> | 2020-06-20 18:08:56 +0300 |
| commit | b7b132721e166d9809e081e4c082a9e843b2d345 (patch) | |
| tree | f862ef8163879ed1faccbc92c3c38438493e4dca /default.prf | |
| parent | bd29a3e4e790d9825521ae9e9a04ffb3c01721d0 (diff) | |
check permissions of files used by rsh
The old rsh (remote shell) grants access to users and hosts in the files
/etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those
files, he can logon as a different user or even root (in case of roots
.r(login|hosts) only) to the system. While the rsh daemon usually checks
for non-root owners or write permissions, this may not be the case on
any system.
Those files might affect other services as well (rlogin, rcp, ...).
As hostnames and usernames are not verified securely, the use of rsh and
similar commands discouraged. It may still be in use on legacy systems
even today, so it should be secured as much as possible if not possible
to remove/replace.
Diffstat (limited to 'default.prf')
| -rw-r--r-- | default.prf | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/default.prf b/default.prf index 6ff3eac2..7f1a6899 100644 --- a/default.prf +++ b/default.prf @@ -303,6 +303,9 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: |