SUMMARY: Desactivate .rhosts functionnality

From: Michel Pilon (pilonm@ccg.rncan.gc.ca)
Date: Tue May 16 1995 - 03:37:15 CDT


Hi everybody,

        Finally, the SUMMARY.

The original question was:

>
> Hi Solaris gurus,
>
> For security concern, I do not want the users be able to create
> a .rhosts file in their home directory. I am using Solaris 2.4 on a
> SparcServer 20.
>
> I began to create myself a .rhosts in each user directory with the
> protection 440 and put root as owner of that file but the user is able to
> overwrite it (just move a file over it with the same name...). So I realized
> that I cannot lock a file in a user directory if the parent directory is owned
> by that user. :-(
>
> The other solution I am thinking is to have a cron reporting me daily
> all the .rhosts it will find via mail.
>
> So, I would like to know if there is a more effective way to
> prevent any users to create a .rhosts file in their home directory.
>
> Thanks in advance,
>

Principally, we got 5 different answers:

        1) Use tcpwrappers: It is found at the ftp site cert.org in the
           directory /pub/tools/tripwire (It is the option we have
           chosen and it works very well!).

        2) run a cron at each x minutes to remove all the .rhosts in the
           user account. (We do not like to add another cron running at
           each x minutes on our systems. If we can avoid it...).

        3) Use logdaemon. (This software seems good also...).

        4) Desactivate the access to .rhosts in the good library using
           a binary editor. (Drastic :-/)

        5) Comment rlogin/rsh services in /etc/inetd.conf (No flexibility...)

Special thanks to:

Thomas Jordan jordan@bell-atl.com
Yves Lepage yves@cc.mcgill.ca
Andrej Misik Andrej.Misik@fmph.uniba.sk
David Sammut <sammut@citr.uq.oz.au>
Kira Attwood <kira@ice-nine.dorm.virginia.edu>
Brian T. Wightman wightman@sol.acs.uwosh.edu
Christopher Davis <ckd@loiosh.kei.com>
Friedel Loinger <friedel@wise1.tau.ac.il>
Juergen Peus (grobi@uni-paderborn.de)
Peter Allan peter.allan@aeat.co.uk
Jochen Bern bern@penthesilea.uni-trier.de
James W. Williams williams@atscv1.atsc.allied.com
Richard Pieri <ratinox@unilab.dfci.harvard.edu>
Steve ssd@nevets.oau.org
David dburton@mpc-uk.com
Adam Fox adamfox@super.org
Steve Young <syoung@cs.Buffalo.EDU>
and others...

>
> Hi Solaris gurus,
>
> For security concern, I do not want the users be able to create
> a .rhosts file in their home directory. I am using Solaris 2.4 on a
> SparcServer 20.
>
> I began to create myself a .rhosts in each user directory with the
> protection 440 and put root as owner of that file but the user is able to
> overwrite it (just move a file over it with the same name...). So I realized
> that I cannot lock a file in a user directory if the parent directory is owned
> by that user. :-(
>
> The other solution I am thinking is to have a cron reporting me daily
> all the .rhosts it will find via mail.
>
> So, I would like to know if there is a more effective way to
> prevent any users to create a .rhosts file in their home directory.
>
> Thanks in advance,
>

--
			      \\~ ~//
		              (	o o )
------------------------o000o----0----o000o-------------------------
Michel Pilon                        E-mail: michel.pilon@CCG.RNCan.gc.ca
Administrateur de systemes Unix     Tel:    (819) 564-5600 ext.4885
Centre Canadien de Geomatique       Fax:    (819) 564-5698
2144 King Ouest, suite 010, Sherbrooke, Quebec, Canada, J1J 2E8



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:25 CDT