[Beowulf] password-less "rsh"
Joe Landman
landman at scalableinformatics.com
Sat Jul 30 16:55:30 PDT 2005
Hi John:
John Hearns wrote:
> On Sat, 2005-07-30 at 15:26 -0400, Brian R Smith wrote:
>
>>On Fedora, the easiest way to do this (if you don't use/need kerberos)
>>is by
>>
>>rm -f /etc/profile.d/krb*
>>
>
> Come, come. Isn't hunting with automatic weapons banned,
> even in the USA?
Depends upon the caliber :^ and the state. It is considered
unsportsmanlike....
> I'm STILL trying to think of some shell magic to cut
> out /usr/kerberos/bin from the $PATH, no matter where it is located.
>
> The best I can come up with is:
>
> export PATH=`echo $PATH | cut -d: -f2-`
This is *always* dangerous, if some nefarious bit of software modifies
PATH to be somehow unsafe before hand
export PATH="\`rm -rf /\'"
(on purpose, or via a bug, and yes I have seen buggy shell scripts do
stuff like this).
It would be better to regex substitute it out if it exists.
e.g.:
[root at crunch-r ~]# env |grep -i path
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/opt/mpich2-1.0.2/bin:/root/bin
[root at crunch-r ~]# env |grep -i path | perl -p -e
's/\/(\w+\/){1,}kerberos\/(\w+\/{0,1})://ig'
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/opt/mpich2-1.0.2/bin:/root/bin
> (In explanation, this only cuts off the kerberos path if it comes
> first.)
Even in this case, there may be security issues. You can toss a -T
(taint) switch on there if you are worried.
Joe
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics LLC,
email: landman at scalableinformatics.com
web : http://www.scalableinformatics.com
phone: +1 734 786 8423
fax : +1 734 786 8452
cell : +1 734 612 4615
More information about the Beowulf
mailing list