[Beowulf] password-less "rsh"

[Joe Landman]

Hi John:

John Hearns wrote:
> On Sat, 2005-07-30 at 15:26 -0400, Brian R Smith wrote:
> 
>>On Fedora, the easiest way to do this (if you don't use/need kerberos)
>>is by 
>>
>>rm -f /etc/profile.d/krb*
>>
> 
> Come, come.  Isn't hunting with automatic weapons banned, 
> even in the USA?

Depends upon the caliber :^ and the state.  It is considered 
unsportsmanlike....

> I'm STILL trying to think of some shell magic to cut
> out /usr/kerberos/bin from the $PATH, no matter where it is located.
> 
> The best I can come up with is:
> 
>  export PATH=`echo $PATH | cut -d: -f2-`

This is *always* dangerous, if some nefarious bit of software modifies 
PATH to be somehow unsafe before hand

	export PATH="\`rm -rf /\'"

(on purpose, or via a bug, and yes I have seen buggy shell scripts do 
stuff like this).

It would be better to regex substitute it out if it exists.

e.g.:

[root at crunch-r ~]# env |grep -i path
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/opt/mpich2-1.0.2/bin:/root/bin
[root at crunch-r ~]# env |grep -i path | perl -p -e 
's/\/(\w+\/){1,}kerberos\/(\w+\/{0,1})://ig'
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/opt/mpich2-1.0.2/bin:/root/bin

> (In explanation, this only cuts off the kerberos path if it comes
> first.)

Even in this case, there may be security issues.  You can toss a -T 
(taint) switch on there if you are worried.

Joe

> 
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

-- 
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web  : http://www.scalableinformatics.com
phone: +1 734 786 8423
fax  : +1 734 786 8452
cell : +1 734 612 4615