[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

non-setuid rcp problem

I've been having a problem with kerberized rcp, at least with Heimdal  
1.0 and newer.  Whenever I rcp something from a remote host to the  
local machine:
   rcp host:file file
I get an error code of 1 from rcp.  This messes up some scripts we use  
which check error codes.

We do not install rcp setuid.

Looking at appl/rcp/rcp.c, line 278, in tolocal() I see:
                 if (seteuid(0) < 0)
It looks like this is guaranteed to fail if rcp is not installed  
setuid!  Also, I don't see where the effective uid was ever changed  
from 0 in this code path (though I've not looked closely), so there  
might be a vulnerability here.

This code is identical in Heimdal 1.1 and the development branch.

I think that the correct fix is either not doing the seteuid if we're  
not setuid, or (simpler) not checking the return code from this  
seteuid.  If we can't become root, oh well.


This is a digitally signed message part