Peter Buckley wrote: > >> Regardless, to me it's still would be a large security hole if all one >> needs to do is: >> >> $ echo "+" > ~/.rhosts >> >> to be able to abuse rsh to do something under somebody else's user ID >> is it not? > > rsh is inherently insecure. Attempts to make it secure are not > worthwhile (in fact, they tend to break rsh). Especially in the land of > NT insecurity, trying to make rsh secure simply makes it unusable.
What are you talking about?!? It's simple, if rsh is called with the -l parameter (assuming the it's not -l <current user>) then prompt for a password. If that's not doable then fail with an error message of some sort. But lord's sakes laddy! Don't just let them walk in! :-) -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
