Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!usc!snorkelwacker.mit.edu!bloom-picayune.mit.edu!athena.mit.edu!jik
From: jik@athena.mit.edu (Jonathan I. Kamens)
Newsgroups: comp.unix.questions
Subject: Re: Why does rsh give "Permission denied"?
Message-ID: <1991Feb27.184617.106@athena.mit.edu>
Date: 27 Feb 91 18:46:17 GMT
References: <1991Feb26.164557.361@athena.mit.edu> <C82-GC@rpi.edu>
Sender: news@athena.mit.edu (News system)
Distribution: na
Organization: Massachusetts Institute of Technology
Lines: 34

In article <C82-GC@rpi.edu>, fitz@mml0.meche.rpi.edu (Brian Fitzgerald) writes:
|> The directory path to $HOME should be executable by "others" and the
|> .rhosts file should be readable by "others".  Adding or removing "user"
|> or "group" permission bits, or the write or execute "others" bits to
|> .rhosts does not alter this.

  Oh, really?  I just created a .rhosts file mode 644, and tried to log in
remotely without a password, and it didn't work.  I then changed it to mode
600, and it did work.

  The only time .rhosts has to be readable by others is on a system where home
directories are remote filesystems (NFS, AFS, whatever) and root isn't
trusted.  And, in that case, the BSD software has to be modified so that it no
longer requires that group and world read permissions be unset from .rhosts. 
It *does* check in standard 4.3BSD, and the reason for it is that if someone
else can read your .rhosts, they can figure out what hosts and users they need
to impersonate in order to log into your account without a password.

  Same with the directory path being executable by others.  That is only
necessary if any portion of the path is on a remote filesystem and root isn't
trusted.

|> The above is true of the Suns and aix machines I have seen.

  Well, then, the machines you have seen have been modified to allow
world-readable permissions on the .rhosts file.  This is not the "default"
behavior of the BSD networking software, although it is becoming more common
as more sites use remote filesystems for home directories.

-- 
Jonathan Kamens			              USnail:
MIT Project Athena				11 Ashford Terrace
jik@Athena.MIT.EDU				Allston, MA  02134
Office: 617-253-8085			      Home: 617-782-0710