ken@gvax.cs.cornell.edu (Ken Birman) (02/05/90)
One of our users asked me to remind people that the ISIS "rexec" program isn't enforcing any sort of security in ISIS V1.3.1 (the V2.0 version of rexec is fixed in this respect). This means that if you run rexec as root, it offers a simple way for knowledgable ISIS users to run any program they wish as root on any machine where rexec is up. We suggest that you make the rexec binary "setuid" to user "nobody" to avoid this problem. FYI, UNIX has a much more serious security flaw if you run NFS servers without using the SUN authentication server. Without going into details, I urgently recommend that if you use NFS, you start running it in authenticated mode immediately. The performance impact is small and this may save you major headaches down the line. Ken