diff --git a/.cvsignore b/.cvsignore index e69de29..d5229d4 100644 --- a/.cvsignore +++ b/.cvsignore @@ -0,0 +1,2 @@ +netkit-rsh-0.17-pre20000412.tar.gz +rexec-1.5.tar.gz diff --git a/netkit-rsh-0.10-stdarg.patch b/netkit-rsh-0.10-stdarg.patch new file mode 100644 index 0000000..584e762 --- /dev/null +++ b/netkit-rsh-0.10-stdarg.patch @@ -0,0 +1,43 @@ +--- netkit-rsh-0.10/rcp/rcp.c 1999-04-18 05:16:49-04 1.1 ++++ netkit-rsh-0.10/rcp/rcp.c 1999-04-18 05:40:52-04 +@@ -836,19 +836,33 @@ + error(const char *fmt, ...) + { + static FILE *fp; +- va_list ap; +- +- va_start(ap, fmt); ++ char buf[1000]; + + ++errs; + if (!fp && !(fp = fdopen(rem, "w"))) + return; +- fprintf(fp, "%c", 0x01); +- vfprintf(fp, fmt, ap); ++ ++ /* (fmt,...) might need to go to two streams. ++ * ++ * In { va_start ; vfprintf ; vfprintf ; va_end }, second ++ * vfprintf didn't restart (ie: vfprintf affects ap) (glibc) ++ * ++ * Is { va_start ; vfprintf ; va_end} * 2 even allowed? ++ * ++ * => Dump (fmt,...) to buffer. */ ++ ++ { ++ va_list ap; ++ va_start(ap, fmt); ++ vsnprintf(buf, sizeof(buf), fmt, ap); ++ buf[sizeof(buf)-1] = 0; ++ va_end(ap); ++ } ++ ++ fprintf(fp, "%c%s", 0x01, buf); + fflush(fp); +- if (!iamremote) vfprintf(stderr, fmt, ap); + +- va_end(ap); ++ if (!iamremote) fputs(buf, stderr); + } + + static void diff --git a/netkit-rsh-0.16-jbj.patch b/netkit-rsh-0.16-jbj.patch new file mode 100644 index 0000000..64495e9 --- /dev/null +++ b/netkit-rsh-0.16-jbj.patch @@ -0,0 +1,33 @@ +--- netkit-rsh-0.16/rcp/Makefile.jbj Tue Dec 21 16:32:51 1999 ++++ netkit-rsh-0.16/rcp/Makefile Tue Dec 21 16:33:16 1999 +@@ -7,7 +7,7 @@ + $(CC) $(LDFLAGS) $^ $(LIBS) -o $@ + + install: rcp +- install -s -o root -m$(SUIDMODE) rcp $(INSTALLROOT)$(BINDIR) ++ install -s rcp $(INSTALLROOT)$(BINDIR) + install -m$(MANMODE) rcp.1 $(INSTALLROOT)$(MANDIR)/man1 + + clean: +--- netkit-rsh-0.16/rlogin/Makefile.jbj Tue Dec 21 16:33:57 1999 ++++ netkit-rsh-0.16/rlogin/Makefile Tue Dec 21 16:34:08 1999 +@@ -10,7 +10,7 @@ + $(CC) $(LDFLAGS) $^ $(LIBS) -o $@ + + install: $(PROG) +- install -s -o root -m$(SUIDMODE) $(PROG) $(INSTALLROOT)$(BINDIR) ++ install -s $(PROG) $(INSTALLROOT)$(BINDIR) + install -m $(MANMODE) $(PROG).1 $(INSTALLROOT)$(MANDIR)/man1 + + clean: +--- netkit-rsh-0.16/rsh/Makefile.jbj Tue Dec 21 16:33:28 1999 ++++ netkit-rsh-0.16/rsh/Makefile Tue Dec 21 16:33:44 1999 +@@ -9,7 +9,7 @@ + $(CC) $(LDFLAGS) $^ $(LIBS) -o $@ + + install: rsh +- install -s -o root -m$(SUIDMODE) rsh $(INSTALLROOT)$(BINDIR) ++ install -s rsh $(INSTALLROOT)$(BINDIR) + install -m$(MANMODE) rsh.1 $(INSTALLROOT)$(MANDIR)/man1 + + clean: diff --git a/netkit-rsh-0.16-jbj2.patch b/netkit-rsh-0.16-jbj2.patch new file mode 100644 index 0000000..9b76a5a --- /dev/null +++ b/netkit-rsh-0.16-jbj2.patch @@ -0,0 +1,83 @@ +--- netkit-rsh-0.16/rshd/rshd.c.jbj2 Mon Jan 10 11:23:21 2000 ++++ netkit-rsh-0.16/rshd/rshd.c Mon Jan 10 13:34:44 2000 +@@ -43,7 +43,7 @@ + * From: @(#)rshd.c 5.38 (Berkeley) 3/2/91 + */ + char rcsid[] = +- "$Id: rshd.c,v 1.22 1999/10/02 21:45:08 dholland Exp $"; ++ "$Id: rshd.c,v 1.23 1999/12/17 14:57:09 dholland Exp $"; + #include "../version.h" + + /* +@@ -171,7 +171,7 @@ + fd_set ready, readfrom; + char buf[BUFSIZ], sig; + int one = 1; +- int nfd, cc, done=0; ++ int nfd, cc, guys=2; + + ioctl(pype, FIONBIO, (char *)&one); + /* should set s nbio! */ +@@ -182,24 +182,28 @@ + if (pype > sock) nfd = pype+1; + else nfd = sock+1; + +- while (!done) { ++ while (guys > 0) { + ready = readfrom; +- if (select(nfd, &ready, NULL, NULL, NULL) < 0 && errno != EINTR) { +- break; ++ if (select(nfd, &ready, NULL, NULL, NULL) < 0) { ++ if (errno != EINTR) { ++ break; ++ } ++ continue; + } +- done = 1; + if (FD_ISSET(sock, &ready)) { +- done = 0; + cc = read(sock, &sig, 1); +- if (cc <= 0) FD_CLR(sock, &readfrom); ++ if (cc <= 0) { ++ FD_CLR(sock, &readfrom); ++ guys--; ++ } + else killpg(pid, sig); + } + if (FD_ISSET(pype, &ready)) { +- done = 0; + cc = read(pype, buf, sizeof(buf)); + if (cc <= 0) { + shutdown(sock, 2); + FD_CLR(pype, &readfrom); ++ guys--; + } + else write(sock, buf, cc); + } +@@ -209,6 +213,8 @@ + /* + * This does not strike me as the right place for this; this is + * in a child process... what does this need to accomplish? ++ * ++ * No, it's not the child process, the code is just confusing. + */ + pam_close_session(pamh, 0); + pam_end(pamh, PAM_SUCCESS); +@@ -513,7 +519,7 @@ + ipproto = ip->p_proto; + else + ipproto = IPPROTO_IP; +- if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && ++ if (!getsockopt(fd, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) && + optsize != 0) { + lp = lbuf; + +@@ -530,7 +536,7 @@ + " (ignored): %s", + inet_ntoa(fromp->sin_addr), lbuf); + +- if (setsockopt(0, ipproto, IP_OPTIONS, NULL, optsize) != 0) { ++ if (setsockopt(fd, ipproto, IP_OPTIONS, NULL, optsize) != 0) { + syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); + exit(1); + } diff --git a/netkit-rsh-0.16-jbj3.patch b/netkit-rsh-0.16-jbj3.patch new file mode 100644 index 0000000..d1e6f5c --- /dev/null +++ b/netkit-rsh-0.16-jbj3.patch @@ -0,0 +1,180 @@ +--- netkit-rsh-0.16/rlogind/auth.c.jbj3 Mon Jan 10 13:40:26 2000 ++++ netkit-rsh-0.16/rlogind/auth.c Mon Jan 10 13:46:25 2000 +@@ -31,6 +31,9 @@ + * SUCH DAMAGE. + */ + ++#include ++#include ++ + #include "rlogind.h" + + #ifdef USE_PAM +@@ -47,10 +50,8 @@ + #include + #include + #include +-#include + #include + +-#include + #include + #include + +@@ -68,7 +69,10 @@ + } + + void auth_finish(void) { +- pam_end(pamh, PAM_SUCCESS); ++ if (pamh) { ++ pam_end(pamh, PAM_SUCCESS); ++ pamh = NULL; ++ } + } + + static int attempt_auth(void) { +@@ -78,11 +82,7 @@ + if (retval == PAM_SUCCESS) { + retval = pam_acct_mgmt(pamh, 0); + } +- switch (retval) { +- default: +- case PAM_SUCCESS: +- break; +- case PAM_NEW_AUTHTOK_REQD: ++ if (retval == PAM_NEW_AUTHTOK_REQD) { + retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (retval == PAM_SUCCESS) { + /* +@@ -98,7 +98,6 @@ + */ + retval = attempt_auth(); + } +- break; + } + return retval; + } +@@ -108,7 +107,7 @@ + * or return 0 on authentication success. Dying is discouraged. + */ + int auth_checkauth(const char *remoteuser, const char *host, +- char *localuser, int localuserlen) ++ char *localuser, size_t localusersize) + { + static struct pam_conv conv = { sock_conv, NULL }; + int retval; +@@ -140,8 +139,8 @@ + */ + return -1; + } +- strncpy(localuser, ln, localuserlen-1); +- localuser[localuserlen-1] = '\0'; ++ strncpy(localuser, ln, localusersize-1); ++ localuser[localusersize-1] = '\0'; + + pwd = getpwnam(localuser); + if (pwd == NULL || setgid(pwd->pw_gid) != 0) { +@@ -171,7 +170,6 @@ + + #include /* for ruserok() in libc5 (!) */ + #include /* for ruserok() in glibc (!) */ +-#include + + #if defined(__GLIBC__) && (__GLIBC__ >= 2) + #define _check_rhosts_file __check_rhosts_file +@@ -187,9 +185,11 @@ + * or return 0 on authentication success. Dying is discouraged. + */ + int auth_checkauth(const char *remoteuser, const char *host, +- char *localuser, int localuserlen) ++ char *localuser, size_t localusersize) + { + struct passwd *pwd; ++ ++ (void)localusersize; + pwd = getpwnam(localuser); + if (pwd == NULL) return -1; + +--- netkit-rsh-0.16/rlogind/rlogind.c.jbj3 Mon Jan 10 13:46:41 2000 ++++ netkit-rsh-0.16/rlogind/rlogind.c Mon Jan 10 13:50:24 2000 +@@ -52,6 +52,7 @@ + * data + */ + ++#include /* for size_t */ + #include /* for MAXPATHLEN */ + #include /* for chmod() */ + #include /* for TIOCPKT */ +@@ -298,7 +299,7 @@ + chown(line, 0, 0); + + /* all done */ +- exit(1); ++ exit(0); + } + + +@@ -334,24 +335,22 @@ + static void child(const char *hname, const char *termtype, + const char *localuser, int authenticated) + { +- char *env[2]; +- char *termenv; ++ char *termenv[2]; + + setup_term(0, termtype); + +- termenv = malloc(strlen(termtype)+6); +- if (termenv) { /* shouldn't ever fail, mind you */ +- strcpy(termenv, "TERM="); +- strcat(termenv, termtype); ++ termenv[0] = malloc(strlen(termtype)+6); ++ if (termenv[0]) { /* shouldn't ever fail, mind you */ ++ strcpy(termenv[0], "TERM="); ++ strcat(termenv[0], termtype); + } +- env[0] = termenv; +- env[1] = NULL; ++ termenv[1] = NULL; + + if (authenticated) { + auth_finish(); + closeall(); + execle(_PATH_LOGIN, "login", "-p", +- "-h", hname, "-f", localuser, NULL, env); ++ "-h", hname, "-f", localuser, NULL, termenv); + } + else { + if (localuser[0] == '-') { +@@ -361,7 +360,7 @@ + auth_finish(); + closeall(); + execle(_PATH_LOGIN, "login", "-p", +- "-h", hname, localuser, NULL, env); ++ "-h", hname, localuser, NULL, termenv); + } + /* Can't exec login, croak */ + fatal(STDERR_FILENO, _PATH_LOGIN, 1); +@@ -402,8 +401,10 @@ + * this will break anything or give away state secrets. + */ + if (hostok) { +- if (auth_checkauth(rusername, hname, lusername, sizeof(lusername)) == 0) ++ if (auth_checkauth(rusername, hname, ++ lusername, sizeof(lusername)) == 0) { + authenticated=1; ++ } + } + network_confirm(); + +--- netkit-rsh-0.16/rlogind/rlogind.h.jbj3 Mon Jan 10 13:50:37 2000 ++++ netkit-rsh-0.16/rlogind/rlogind.h Mon Jan 10 13:51:06 2000 +@@ -12,7 +12,7 @@ + void auth_checkoptions(void); + void auth_finish(void); + int auth_checkauth(const char *remoteuser, const char *host, +- char *localuser, int localuserlen); ++ char *localuser, size_t localuserlen); + + /* + * Global flag variables diff --git a/netkit-rsh-0.16-jbj4.patch b/netkit-rsh-0.16-jbj4.patch new file mode 100644 index 0000000..73b810e --- /dev/null +++ b/netkit-rsh-0.16-jbj4.patch @@ -0,0 +1,14 @@ +--- netkit-rsh-0.16/rshd/Makefile.jbj4 Fri Jan 28 12:17:42 2000 ++++ netkit-rsh-0.16/rshd/Makefile Fri Jan 28 12:17:56 2000 +@@ -6,9 +6,8 @@ + OBJS = rshd.o + + ifeq ($(USE_PAM),1) +-# ? +-CFLAGS += # -DUSE_PAM +-LIBS += -ldl # -lpam -lpam_misc ++CFLAGS += -DUSE_PAM ++LIBS += -ldl -lpam -lpam_misc + endif + + rshd: $(OBJS) diff --git a/netkit-rsh-0.16-nokrb.patch b/netkit-rsh-0.16-nokrb.patch new file mode 100644 index 0000000..f3e06b8 --- /dev/null +++ b/netkit-rsh-0.16-nokrb.patch @@ -0,0 +1,231 @@ +diff -uNr netkit-rsh-0.16/rcp/rcp.1 netkit-rsh-0.16/rcp/rcp.1 +--- netkit-rsh-0.16/rcp/rcp.1 Tue Dec 14 07:52:57 1999 ++++ netkit-rsh-0.16/rcp/rcp.1 Mon May 29 22:52:34 2000 +@@ -41,12 +41,10 @@ + .Sh SYNOPSIS + .Nm rcp + .Op Fl px +-.Op Fl k Ar realm + .Ar file1 file2 + .Nm rcp + .Op Fl px + .Op Fl r +-.Op Fl k Ar realm + .Ar file ... + .Ar directory + .Sh DESCRIPTION +@@ -79,27 +77,6 @@ + modified by the + .Xr umask 2 + on the destination host is used. +-.It Fl k +-The +-.Fl k +-option requests +-.Nm rcp +-to obtain tickets +-for the remote host in realm +-.Ar realm +-instead of the remote host's realm as determined by +-.Xr krb_realmofhost 3 . +-.It Fl x +-The +-.Fl x +-option turns on +-.Tn DES +-encryption for all data passed by +-.Nm rcp . +-This may impact response time and +-.Tn CPU +-utilization, but provides +-increased security. + .El + .Pp + If +@@ -134,11 +111,6 @@ + .Nm rcp + command appeared in + .Bx 4.2 . +-The version of +-.Nm rcp +-described here +-has been reimplemented with Kerberos in +-.Bx 4.3 Reno . + .Sh BUGS + Doesn't detect all cases where the target of a copy might + be a file in cases where only a directory should be legal. +diff -uNr netkit-rsh-0.16/rlogin/rlogin.1 netkit-rsh-0.16/rlogin/rlogin.1 +--- netkit-rsh-0.16/rlogin/rlogin.1 Tue Dec 14 07:52:57 1999 ++++ netkit-rsh-0.16/rlogin/rlogin.1 Mon May 29 22:51:42 2000 +@@ -42,7 +42,6 @@ + .Ar rlogin + .Op Fl 8EKLdx + .Op Fl e Ar char +-.Op Fl k Ar realm + .Op Fl l Ar username + .Ar host + .Sh DESCRIPTION +@@ -50,9 +49,7 @@ + starts a terminal session on a remote host + .Ar host . + .Pp +-.Nm Rlogin +-first attempts to use the Kerberos authorization mechanism, described below. +-If the remote host does not supporting Kerberos the standard Berkeley ++The standard Berkeley + .Pa rhosts + authorization mechanism is used. + The options are as follows: +@@ -71,10 +68,6 @@ + When used with the + .Fl 8 + option, this provides a completely transparent connection. +-.It Fl K +-The +-.Fl K +-option turns off all Kerberos authentication. + .It Fl L + The + .Fl L +@@ -94,25 +87,6 @@ + ``~'' by default. + This specification may be as a literal character, or as an octal + value in the form \ennn. +-.It Fl k +-The +-.FL k +-option requests rlogin to obtain tickets for the remote host +-in realm +-.Ar realm +-instead of the remote host's realm as determined by +-.Xr krb_realmofhost 3 . +-.It Fl x +-The +-.Fl x +-option turns on +-.Tn DES +-encryption for all data passed via the +-rlogin session. +-This may impact response time and +-.Tn CPU +-utilization, but provides +-increased security. + .El + .Pp + A line of the form ``.'' disconnects from the remote host. +@@ -129,35 +103,6 @@ + is transparent. + Flow control via ^S/^Q and flushing of input and output on interrupts + are handled properly. +-.Sh KERBEROS AUTHENTICATION +-Each user may have a private authorization list in the file +-.Pa .klogin +-in their home directory. +-Each line in this file should contain a Kerberos principal name of the +-form +-.Ar principal.instance@realm . +-If the originating user is authenticated to one of the principals named +-in +-.Pa .klogin , +-access is granted to the account. +-The principal +-.Ar accountname.@localrealm +-is granted access if +-there is no +-.Pa .klogin +-file. +-Otherwise a login and password will be prompted for on the remote machine +-as in +-.Xr login 1 . +-To avoid certain security problems, the +-.Pa .klogin +-file must be owned by +-the remote user. +-.Pp +-If Kerberos authentication fails, a warning message is printed and the +-standard Berkeley +-.Nm rlogin +-is used instead. + .Sh ENVIRONMENT + The following environment variable is utilized by + .Nm rlogin : +@@ -167,9 +112,6 @@ + .El + .Sh SEE ALSO + .Xr rsh 1 , +-.Xr kerberos 3 , +-.Xr krb_sendauth 3 , +-.Xr krb_realmofhost 3 + .Sh HISTORY + The + .Nm rlogin +diff -uNr netkit-rsh-0.16/rsh/rsh.1 netkit-rsh-0.16/rsh/rsh.1 +--- netkit-rsh-0.16/rsh/rsh.1 Tue Dec 14 07:52:58 1999 ++++ netkit-rsh-0.16/rsh/rsh.1 Mon May 29 22:51:29 2000 +@@ -41,7 +41,6 @@ + .Sh SYNOPSIS + .Nm rsh + .Op Fl Kdnx +-.Op Fl k Ar realm + .Op Fl l Ar username + .Ar host + .Op command +@@ -62,10 +61,6 @@ + normally terminates when the remote command does. + The options are as follows: + .Bl -tag -width flag +-.It Fl K +-The +-.Fl K +-option turns off all Kerberos authentication. + .It Fl d + The + .Fl d +@@ -74,23 +69,11 @@ + on the + .Tn TCP + sockets used for communication with the remote host. +-.It Fl k +-The +-.Fl k +-option causes +-.Nm rsh +-to obtain tickets for the remote host in +-.Ar realm +-instead of the remote host's realm as determined by +-.Xr krb_realmofhost 3 . + .It Fl l + By default, the remote username is the same as the local username. + The + .Fl l + option allows the remote name to be specified. +-Kerberos authentication is used, and authorization is determined +-as in +-.Xr rlogin 1 . + .It Fl n + The + .Fl n +@@ -99,13 +82,6 @@ + (see the + .Sx BUGS + section of this manual page). +-.It Fl x +-The +-.Fl x +-option turns on +-.Tn DES +-encryption for all data exchange. +-This may introduce a significant delay in response time. + .El + .Pp + If no +@@ -142,9 +118,6 @@ + .El + .Sh SEE ALSO + .Xr rlogin 1 , +-.Xr kerberos 3 , +-.Xr krb_sendauth 3 , +-.Xr krb_realmofhost 3 + .Sh HISTORY + The + .Nm rsh diff --git a/netkit-rsh-0.16-pamfix.patch b/netkit-rsh-0.16-pamfix.patch new file mode 100644 index 0000000..ff0baf1 --- /dev/null +++ b/netkit-rsh-0.16-pamfix.patch @@ -0,0 +1,226 @@ +--- netkit-rsh-0.16/rlogind/auth.c.pamfix Wed Oct 13 21:18:31 1999 ++++ netkit-rsh-0.16/rlogind/auth.c Wed Jan 5 12:52:49 2000 +@@ -47,6 +47,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -76,7 +78,11 @@ + if (retval == PAM_SUCCESS) { + retval = pam_acct_mgmt(pamh, 0); + } +- if (retval == PAM_NEW_AUTHTOK_REQD) { ++ switch (retval) { ++ default: ++ case PAM_SUCCESS: ++ break; ++ case PAM_NEW_AUTHTOK_REQD: + retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (retval == PAM_SUCCESS) { + /* +@@ -92,16 +98,9 @@ + */ + retval = attempt_auth(); + } ++ break; + } + return retval; +- +-#if 0 +- while (0); /* We have the while(0) here because it is either using +- that and the breaks, or goto's */ +- /* eww. -dah */ +- /* well, replace it with goto's if you like! I won't tell! -mkj */ +- /* How 'bout recursion? This better? :-) -dah */ +-#endif + } + + /* +@@ -109,15 +108,11 @@ + * or return 0 on authentication success. Dying is discouraged. + */ + int auth_checkauth(const char *remoteuser, const char *host, +- const char *localuser) ++ char *localuser, int localuserlen) + { + static struct pam_conv conv = { sock_conv, NULL }; +- const char *ln; +-/* int NMAX=8; heaven knows what this was used for */ +- /* struct passwd *pwd; */ + int retval; + +-/* retval = pam_start("rlogin", lusername, &conv, &pamh); */ + retval = pam_start("rlogin", localuser, &conv, &pamh); + if (retval != PAM_SUCCESS) { + syslog(LOG_ERR, "pam_start: %s\n", pam_strerror(pamh, retval)); +@@ -131,74 +126,39 @@ + + network_confirm(); + retval = attempt_auth(); +- if (retval != PAM_SUCCESS) { +- syslog(LOG_ERR, "PAM authentication failed for in.rlogind"); +- return -1; +- } ++ if (retval == PAM_SUCCESS) { ++ struct passwd *pwd; ++ char *ln; + +- /* +- * I do not understand the purpose of this code. At present it +- * won't (or at least shouldn't) compile, since localuser is +- * read-only and NMAX isn't defined. +- * +- * Is it perhaps the case that in the presence of a hosts_equiv +- * file to allow all users from the remote host, PAM returns +- * success even though there's no such user? In that case this +- * code should probably be changed to the following: +- * +- * const char *ln; +- * pam_get_item(pamh, PAM_USER, &ln); +- * if (!ln || !*ln) return -1; +- * +- * If it's really necessary to be able to change the localuser, +- * I suppose this can be managed. +- */ +- +- /* +- * Changed to above suggestion as the previous code was fubared under 64bit +- * It used to be: +- * pam_get_item(pamh, PAM_USER, &ln); +- * if (ln && *ln) { +- * (copy ln into localuser) +- * } +- * else return -1; +- * +- * THIS MAY NOT BE RIGHT. +- */ +- +- pam_get_item(pamh, PAM_USER, &ln); +- if (!ln || !*ln) { +- /* +- * Authentication wasn't adequate for requirements. +- * Fall through to login quietly; don't let the +- * remote user tell if he's found a valid username +- * or not. +- */ +- return -1; +- } ++ pam_get_item(pamh, PAM_USER, &ln); ++ if (!(ln && *ln)) { ++ /* ++ * Authentication wasn't adequate for requirements. ++ * Fall through to login quietly; don't let the ++ * remote user tell if he's found a valid username ++ * or not. ++ */ ++ return -1; ++ } ++ strncpy(localuser, ln, localuserlen-1); ++ localuser[localuserlen-1] = '\0'; + +- /* +- * And, as far as I can tell, this shouldn't be here at all. +- * /bin/login is supposed to handle this, isn't it? Certainly +- * the gids. +- */ +-#if 0 +- pwd = getpwnam(lusername); +- /* what if pwd is null? */ +- if (setgid(pwd->pw_gid) != 0) { +- fprintf(stderr, "cannot assume gid\n"); +- return -1; +- } +- if (initgroups(lusername, pwd->pw_gid) != 0) { +- fprintf(stderr, "cannot initgroups\n"); +- return -1; ++ pwd = getpwnam(localuser); ++ if (pwd == NULL || setgid(pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "PAM cannot assume gid\n"); ++ return -1; ++ } ++ if (initgroups(localuser, pwd->pw_gid) != 0) { ++ syslog(LOG_ERR, "PAM cannot initgroups\n"); ++ return -1; ++ } ++ retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); + } +- retval = pam_setcred(pamh, PAM_CRED_ESTABLISH); ++ + if (retval != PAM_SUCCESS) { +- syslog(LOG_ERR,"PAM authentication failed for in.rlogind"); ++ syslog(LOG_ERR, "PAM authentication failed for in.rlogind"); + return -1; + } +-#endif + + return 0; + } +@@ -227,7 +187,7 @@ + * or return 0 on authentication success. Dying is discouraged. + */ + int auth_checkauth(const char *remoteuser, const char *host, +- const char *localuser) ++ char *localuser, int localuserlen) + { + struct passwd *pwd; + pwd = getpwnam(localuser); +--- netkit-rsh-0.16/rlogind/rlogind.c.pamfix Sat Oct 2 17:50:52 1999 ++++ netkit-rsh-0.16/rlogind/rlogind.c Wed Jan 5 12:49:49 2000 +@@ -334,6 +334,7 @@ + static void child(const char *hname, const char *termtype, + const char *localuser, int authenticated) + { ++ char *env[2]; + char *termenv; + + setup_term(0, termtype); +@@ -343,12 +344,14 @@ + strcpy(termenv, "TERM="); + strcat(termenv, termtype); + } ++ env[0] = termenv; ++ env[1] = NULL; + + if (authenticated) { + auth_finish(); + closeall(); + execle(_PATH_LOGIN, "login", "-p", +- "-h", hname, "-f", localuser, NULL, termenv, NULL); ++ "-h", hname, "-f", localuser, NULL, env); + } + else { + if (localuser[0] == '-') { +@@ -358,7 +361,7 @@ + auth_finish(); + closeall(); + execle(_PATH_LOGIN, "login", "-p", +- "-h", hname, localuser, NULL, termenv, NULL); ++ "-h", hname, localuser, NULL, env); + } + /* Can't exec login, croak */ + fatal(STDERR_FILENO, _PATH_LOGIN, 1); +@@ -399,7 +402,8 @@ + * this will break anything or give away state secrets. + */ + if (hostok) { +- if (auth_checkauth(rusername, hname, lusername) == 0) authenticated=1; ++ if (auth_checkauth(rusername, hname, lusername, sizeof(lusername)) == 0) ++ authenticated=1; + } + network_confirm(); + +--- netkit-rsh-0.16/rlogind/rlogind.h.pamfix Fri Jun 13 06:02:46 1997 ++++ netkit-rsh-0.16/rlogind/rlogind.h Wed Jan 5 12:01:13 2000 +@@ -12,7 +12,7 @@ + void auth_checkoptions(void); + void auth_finish(void); + int auth_checkauth(const char *remoteuser, const char *host, +- const char *localuser); ++ char *localuser, int localuserlen); + + /* + * Global flag variables diff --git a/netkit-rsh-0.16-prompt.patch b/netkit-rsh-0.16-prompt.patch new file mode 100644 index 0000000..8091dcc --- /dev/null +++ b/netkit-rsh-0.16-prompt.patch @@ -0,0 +1,37 @@ +--- netkit-rsh-0.16/rexec/rexec.c.prompt Mon Feb 28 16:23:33 2000 ++++ netkit-rsh-0.16/rexec/rexec.c Mon Feb 28 16:49:23 2000 +@@ -164,12 +164,30 @@ + user_name[strlen(user_name)-1] = '\0'; /* Hopefully fgets always adds + a newline. */ + passwd = getpass("Password: "); ++ } else { ++ ++ if ( user_name == NULL ) ++ user_name = getenv("REXEC_USER"); ++ if ( user_name == NULL ) { ++ uid_t uid = getuid(); ++ struct passwd *pw = getpwuid(uid); ++ if (!(pw && pw->pw_name)) { ++ fprintf(stderr, "Can't lookup uid %d\n", uid); ++ exit(1); ++ } ++ user_name = strdup(pw->pw_name); ++ } ++ if ( passwd == NULL ) ++ passwd = getenv("REXEC_PASS"); ++ if ( passwd == NULL ) ++ passwd = getpass("Password: "); + } + +- if ( user_name == NULL ) +- user_name = getenv("REXEC_USER"); +- if ( passwd == NULL ) +- passwd = getenv("REXEC_PASS"); ++ if (!(user_name && passwd)) { ++ fprintf(stderr, "Can't use %s without supplying a user and password\n", ++ progname); ++ exit(1); ++ } + + if ( (sock = rexec(&host, port_exec, user_name, passwd, command, + p_to_aux_sock)) < 0 ) diff --git a/netkit-rsh-0.16-rlogin=rsh.patch b/netkit-rsh-0.16-rlogin=rsh.patch new file mode 100644 index 0000000..1e06491 --- /dev/null +++ b/netkit-rsh-0.16-rlogin=rsh.patch @@ -0,0 +1,10 @@ +--- netkit-rsh-0.16/rlogin/rlogin.c.rsh Fri Mar 3 08:59:37 2000 ++++ netkit-rsh-0.16/rlogin/rlogin.c Fri Mar 3 08:59:45 2000 +@@ -194,6 +194,7 @@ + p = argv[0]; + + if (strcmp(p, "rlogin")) ++ if (strcmp(p, "rsh")) + host = p; + + /* handle "rlogin host flags" */ diff --git a/netkit-rsh-0.17-pre20000412-jbj5.patch b/netkit-rsh-0.17-pre20000412-jbj5.patch new file mode 100644 index 0000000..a65dfe8 --- /dev/null +++ b/netkit-rsh-0.17-pre20000412-jbj5.patch @@ -0,0 +1,29 @@ +--- netkit-rsh-0.17-pre20000412/rlogind/auth.c.jbj5 Sun Jun 18 11:18:37 2000 ++++ netkit-rsh-0.17-pre20000412/rlogind/auth.c Sun Jun 18 11:21:37 2000 +@@ -37,6 +37,7 @@ + #include "rlogind.h" + + #ifdef USE_PAM ++#include + + /* + * Modifications for Linux-PAM: Al Longyear +@@ -158,18 +159,14 @@ + pwd = getpwnam(localuser); + if (pwd==NULL) { + syslog(LOG_ERR, "user returned by PAM does not exist\n"); +- /* don't print this - it tells people which accounts exist */ +- /*fprintf(stderr, "rlogind: internal error\n");*/ + return -1; + } + if (setgid(pwd->pw_gid) != 0) { + syslog(LOG_ERR, "cannot assume gid for user returned by PAM\n"); +- fprintf(stderr, "rlogind: internal error\n"); + return -1; + } + if (initgroups(localuser, pwd->pw_gid) != 0) { + syslog(LOG_ERR, "initgroups failed for user returned by PAM\n"); +- fprintf(stderr, "rlogind: internal error\n"); + return -1; + } + retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); diff --git a/rexec-xinetd b/rexec-xinetd new file mode 100644 index 0000000..108ac25 --- /dev/null +++ b/rexec-xinetd @@ -0,0 +1,14 @@ +# default: off +# description: Rexecd is the server for the rexec(3) routine. The server \ +# provides remote execution facilities with authentication based \ +# on user names and passwords. +service exec +{ + socket_type = stream + wait = no + user = root + log_on_success += USERID + log_on_failure += USERID + server = /usr/sbin/in.rlogind + disable = yes +} diff --git a/rexec.pam b/rexec.pam new file mode 100644 index 0000000..80ec222 --- /dev/null +++ b/rexec.pam @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth diff --git a/rlogin-xinetd b/rlogin-xinetd new file mode 100644 index 0000000..ee3f8e0 --- /dev/null +++ b/rlogin-xinetd @@ -0,0 +1,13 @@ +# default: on +# description: rlogind is the server for the rlogin(1) program. The server \ +# provides a remote login facility with authentication based on \ +# privileged port numbers from trusted hosts. +service login +{ + socket_type = stream + wait = no + user = root + log_on_success += USERID + log_on_failure += USERID + server = /usr/sbin/in.rlogind +} diff --git a/rlogin.pam b/rlogin.pam new file mode 100644 index 0000000..49745f9 --- /dev/null +++ b/rlogin.pam @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth sufficient /lib/security/pam_rhosts_auth.so +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_stack.so service=system-auth +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +password required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth diff --git a/rsh-xinetd b/rsh-xinetd new file mode 100644 index 0000000..f4551fd --- /dev/null +++ b/rsh-xinetd @@ -0,0 +1,14 @@ +# default: on +# description: The rshd server is the server for the rcmd(3) routine and, \ +# consequently, for the rsh(1) program. The server provides \ +# remote execution facilities with authentication based on \ +# privileged port numbers from trusted hosts. +service shell +{ + socket_type = stream + wait = no + user = root + log_on_success += USERID + log_on_failure += USERID + server = /usr/sbin/in.rshd +} diff --git a/rsh.pam b/rsh.pam new file mode 100644 index 0000000..b9c2899 --- /dev/null +++ b/rsh.pam @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required /lib/security/pam_rhosts_auth.so +auth required /lib/security/pam_nologin.so +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth diff --git a/rsh.spec b/rsh.spec new file mode 100644 index 0000000..94aadb0 --- /dev/null +++ b/rsh.spec @@ -0,0 +1,236 @@ +%define _snapshot -pre20000412 + +Summary: Clients for remote access commands (rsh, rlogin, rcp). +Name: rsh +Version: 0.17 +Release: 2.2 +Copyright: BSD +Group: Applications/Internet +Source: ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/netkit-rsh-%{version}%{_snapshot}.tar.gz +Source1: rexec.pam +Source2: rlogin.pam +Source3: rsh.pam +Source4: http://www.tc.cornell.edu/~sadd/rexec-1.5.tar.gz +Source5: rsh-xinetd +Source6: rlogin-xinetd +Source7: rexec-xinetd +Patch2: netkit-rsh-0.10-sectty.patch +Patch3: netkit-rsh-0.10-rexec.patch +Patch4: netkit-rsh-0.10-stdarg.patch +Patch5: netkit-rsh-0.16-jbj.patch +Patch6: netkit-rsh-0.16-pamfix.patch +Patch7: netkit-rsh-0.16-jbj2.patch +Patch8: netkit-rsh-0.16-jbj3.patch +Patch9: netkit-rsh-0.16-jbj4.patch +Patch10: netkit-rsh-0.16-prompt.patch +Patch11: netkit-rsh-0.16-rlogin=rsh.patch +Patch12: netkit-rsh-0.16-nokrb.patch +Patch13: netkit-rsh-0.17-pre20000412-jbj5.patch +Patch14: netkit-rsh-0.17-pre20000412-glibc22.patch +BuildRoot: %{_tmppath}/%{name}-root + +%description +The rsh package contains a set of programs which allow users to run +commmands on remote machines, login to other machines and copy files +between machines (rsh, rlogin and rcp). All three of these commands +use rhosts style authentication. This package contains the clients +needed for all of these services. +The rsh package should be installed to enable remote access to other +machines. + +%package server +Summary: Servers for remote access commands (rsh, rlogin, rcp). +Group: System Environment/Daemons +Requires: pam >= 0.59, /etc/pam.d/system-auth + +%description server +The rsh-server package contains a set of programs which allow users +to run commmands on remote machines, login to other machines and copy +files between machines (rsh, rlogin and rcp). All three of these +commands use rhosts style authentication. This package contains the +servers needed for all of these services. It also contains a server +for rexec, an alternate method of executing remote commands. +All of these servers are run by inetd and configured using +/etc/inetd.conf and PAM. The rexecd server is disabled by default, +but the other servers are enabled. + +The rsh-server package should be installed to enable remote access +from other machines. + +%prep +%setup -q -n netkit-rsh-%{version}%{_snapshot} -a 4 +%patch2 -p1 -b .sectty +%patch3 -p1 -b .rexec +%patch4 -p1 -b .stdarg +%patch5 -p1 -b .jbj + +# XXX patches {6,7,8} not applied +#%patch6 -p1 -b .pamfix +#%patch7 -p1 -b .jbj2 +#%patch8 -p1 -b .jbj3 + +%patch9 -p1 -b .jbj4 +%patch10 -p1 -b .prompt +%patch11 -p1 -b .rsh +%patch12 -p1 -b .rsh.nokrb + +%patch13 -p1 -b .jbj5 +%patch14 -p1 -b .glibc22 + +# No, I don't know what this is doing in the tarball. +rm -f rexec/rexec + +%build +sh configure +perl -pi -e ' + s,^CC=.*$,CC=cc,; + s,-O2,\$(RPM_OPT_FLAGS),; + s,^BINDIR=.*$,BINDIR=%{_bindir},; + s,^MANDIR=.*$,MANDIR=%{_mandir},; + s,^SBINDIR=.*$,SBINDIR=%{_sbindir},; + ' MCONFIG + +make + +%install +rm -rf ${RPM_BUILD_ROOT} +mkdir -p ${RPM_BUILD_ROOT}%{_bindir} +mkdir -p ${RPM_BUILD_ROOT}%{_sbindir} +mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man{1,5,8} +mkdir -p ${RPM_BUILD_ROOT}/etc/pam.d + +make INSTALLROOT=${RPM_BUILD_ROOT} BINDIR=%{_bindir} MANDIR=%{_mandir} install + +install -m 644 $RPM_SOURCE_DIR/rexec.pam ${RPM_BUILD_ROOT}/etc/pam.d/rexec +install -m 644 $RPM_SOURCE_DIR/rlogin.pam ${RPM_BUILD_ROOT}/etc/pam.d/rlogin +install -m 644 $RPM_SOURCE_DIR/rsh.pam ${RPM_BUILD_ROOT}/etc/pam.d/rsh + +mkdir -p ${RPM_BUILD_ROOT}/etc/xinetd.d/ +install -m644 %SOURCE5 ${RPM_BUILD_ROOT}/etc/xinetd.d/rsh +install -m644 %SOURCE6 ${RPM_BUILD_ROOT}/etc/xinetd.d/rlogin +install -m644 %SOURCE7 ${RPM_BUILD_ROOT}/etc/xinetd.d/rexec + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root) +%attr(4755,root,root) %{_bindir}/rcp +%{_bindir}/rexec +%attr(4755,root,root) %{_bindir}/rlogin +%attr(4755,root,root) %{_bindir}/rsh +%{_mandir}/man1/*.1* + +%files server +%defattr(-,root,root) +%config /etc/pam.d/rsh +%config /etc/pam.d/rlogin +%config /etc/pam.d/rexec +%{_sbindir}/in.rexecd +%{_sbindir}/in.rlogind +%{_sbindir}/in.rshd +/etc/xinetd.d/* +%{_mandir}/man8/*.8* + +%changelog +* Fri Jul 21 2000 Nalin Dahyabhai +- fix typo in the rlogin PAM config file +- continue the tradition of messed-up release numbers + +* Tue Jul 18 2000 Bill Nottingham +- add description & default to xinetd file + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Sun Jun 18 2000 Jeff Johnson +- FHS packaging. +- update to 0.17. + +* Thu Jun 1 2000 Nalin Dahyabhai +- modify PAM setup to use system-auth + +* Mon May 29 2000 Nalin Dahyabhai +- expunge all mentions of kerberos authentication or DES encryption using + kerberos from the man pages + +* Thu May 25 2000 Trond Eivind Glomsr�d +- switched to xinetd + +* Tue Mar 7 2000 Jeff Johnson +- rebuild for sparc baud rates > 38400. + +* Fri Mar 04 2000 Nalin Dahyabhai +- make rlogin still work correctly when argv[0] = "rsh" + +* Mon Feb 28 2000 Jeff Johnson +- workaround (by explicitly prompting for password) #4328 and #9715. + +* Wed Feb 9 2000 Jeff Johnson +- mark pam config files as %config. + +* Fri Feb 4 2000 Bill Nottingham +- handle compressed manpages + +* Wed Feb 02 2000 Cristian Gafton +- fix description + +* Sun Jan 30 2000 Bill Nottingham +- remove bogus rexec binary when building; it causes weirdness + +* Fri Jan 28 2000 Jeff Johnson +- Make sure that rshd is compiled with -DUSE_PAM. + +* Mon Jan 10 2000 Jeff Johnson +- Fix bug in rshd (hangs forever with zombie offspring) (#8313). + +* Wed Jan 5 2000 Jeff Johnson +- fix the PAM fix yet again (#8133). + +* Tue Jan 4 2000 Bill Nottingham +- split client and server + +* Tue Dec 21 1999 Jeff Johnson +- update to 0.16. +- dup setuid bits into files list. + +* Fri Jul 30 1999 Jeff Johnson +- update to rexec-1.5 client (#4262) + +* Wed May 19 1999 Jeff Johnson +- fix broken rexec protocol in in.rexecd (#2318). + +* Tue May 4 1999 Justin Vallon +- rcp with error was tricked by stdarg side effect (#2300) + +* Thu Apr 15 1999 Michael K. Johnson +- rlogin pam file was missing comment magic + +* Tue Apr 06 1999 Preston Brown +- strip rexec + +* Fri Mar 26 1999 Jeff Johnson +- rexec needs pam_set_item() (#60). +- clarify protocol in rexecd.8. +- add rexec client from contrib. + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 22) + +* Mon Mar 15 1999 Jeff Johnson +- compile for 6.0. + +* Fri Apr 24 1998 Prospector System +- translations modified for de, fr, tr + +* Tue Apr 14 1998 Erik Troan +- built against new ncurses + +* Sat Apr 5 1998 Marcelo F. Vianna +- Packaged for RH5.0 (Hurricane) + +* Tue Oct 14 1997 Michael K. Johnson +- new pam conventions + +* Tue Jul 15 1997 Erik Troan +- initial build diff --git a/sources b/sources index e69de29..1f56cea 100644 --- a/sources +++ b/sources @@ -0,0 +1,2 @@ +5723a7f559452123d9b1472e8310989a netkit-rsh-0.17-pre20000412.tar.gz +17c2b2fa2aed6af7e0b850673d5ef1f9 rexec-1.5.tar.gz