Thanks to everyone who answered me on this. The general consensus was there
are better ways to accomodate exceed than running the r-suite. The original
question was:
I was just told by one of my end users that to run exceed for him, I
need to be running rexecd on my 2.5.1 sparc. is this true and is this a
security issue I need to worry about?
I've included some of the more explicit answers and thanks to everyone!
Bill Hebert [bhebert@nuc.berkeley.edu]
NO it's not true. By default Exceed would like you to be running rexecd
but this would be an extrem security issue due to the lack of
authentication. It would be okay if you were on a private network maybe.
What we do is this. Use F-Secure (SSH) to login to the unix box. (Note:
X11 forwarding needs to be enabled in Preferences) Then just start the
Exceed server on the windows machine. (this is the icon that just says
exceed.)
Finally the user types xterm or whatever in the SSH window with whatever
options he/she wants, and an xterm window will pop up on the PC.
The default Exceed behavior is to try and use rexec, rsh, or rlogin to
start the session but IMHO anybody in their right mind wouldn't allow this.
Tim Carlson [tim@santafe.edu]
it gets spawned out of inetd.conf
exec stream tcp nowait root /usr/etc/tcpd in.rexecd
In my case, I have put tcp wrappers around it to restrict access. You
should probably do the same
Danny Johnson [djohnson@nbserv1.rsc.raytheon.com]
it IS a security issue; do not run rexecd for such a flimsy excuse.
the "proper" way to support Exceed is to start up xdm (available
in /usr/openwin/bin for example). xdm will then run their
$HOME/.xsession file from /usr/lib/X11/xdm/Xsession after
the users xdmcp-query directly or pick a system from the chooser
(xdmcp-broadcast).
if the user does not like that, they can always telnet into the
machine in question and start their x clients from the command
line (this presumes Exceed is already running, say in passive mode.)
this method is clearly more trouble, which is why I tell my users
to login through xdm and quit bitching. for other applications
we do support rexecd, so it is possible for users to rexec to
start Exceed, and such users' incompetent attempts to use it cause
continual mysterious problems. (the problem is not the actual
rexec but rather the question of how to start up the X environment,
something PC users try their best to ignore the existence of.
you don't have to have these arguments if you just force people
to go through xdm with its well-defined user startup/"login" process).
Varad Rajan [varad.rajan@hsc.hac.com] who said it was a client side only
configuration
and two people did not think running the r-commands was a security risk.
same answers:
Gene Rackow [rackow@mcs.anl.gov]
Rich Quinn [rquinn@sight-n-sound.com]
Thomas Carter [tcarter@memc.com]
Brion Leary [brion@dia.state.ma.us]
dana@dtn.com
John Dorsey [dorsey@Colquitt.Org]
Steve Elliott [se@comp.lancs.ac.uk]
Birger Wathne [Birger.Wathne@Ark.no]
Jonathan.Small@chase.com
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:23 CDT