Subject: Problems with root and .rhosts
To: None <>
From: Brian Moore <>
List: current-users
Date: 10/26/1994 18:05:01
This isn't actually a bug report, so I didn't use send-pr to send this, but
there seems to be an inconsistency between rlogind and rshd with respect to
the .rhosts file for root.  I am attempting to allow rlogin for root on a
NetBSD/i386 machine( iranistu ).  I can add a machine to root's .rhosts file
and rsh will allow root to access the machine without a password.  When I try
to rlogin into iranistu, I always will get back a prompt for the password.  I
looked into rlogind.c and found where it is doing this.  It is in the function
do_rlogin.  The code looks like this:

        if (pwd->pw_uid == 0)
                return (-1);
        /* XXX why don't we syslog() failure? */
        return (iruserok(dest->sin_addr.s_addr, 0, rusername, lusername));

Basically what is happening here, is that if the user coming in is root, then
it doesn't even look at the .rhosts file, and assumes that a password is
needed.  To fix this to allow root access via .rhosts, you could just change
the 0 in the iruserok call to 'pwd->pw->pw_uid == 0'.  Now I'm assuming this
part of the code was done for security reasons, so if you really don't want to
change this behavior, how about adding an option to rlogind called '-u' to
allow unsecure access?  The security issue isn't really that strong since you
can just use rsh to get into the system, even just to the point of starting an
xterm remotely to get a prompt.  

I know this seems nit-picky about this, but I'm right now trying to bring some
NetBSD machines up in our Sun environment and am just trying to get things to
work as seamlessly as possible.