This is the mail archive of the crossgcc@sourceware.org mailing list for the crossgcc project.
See the CrossGCC FAQ for lots more information.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi Everybody, Here is a patch for the chroot-login-howto and a patch for inetutils-1.4.2 to enable root login without password authentication. Thanks to dan and sunil for helping me make this possible. Regards Deepak -- Hack Hack Hack
--- ./chroot-login-howto.html 2006-12-07 05:47:36.000000000 +0530 +++ ./chroot-login-howto.html 2008-03-23 21:55:48.000000000 +0530 @@ -207,6 +207,40 @@ If you want to allow remote access by root (which is highly insecure, but useful in limited situations, as you'll see below), add the -o option. +<h3>3.1 Installing r-utilities clients and servers for a embedded target</h3> +If you want to build the r-utilities for a bare embedded target machine with limited facilities then there are additional challenges to be faced. + +<h4>Patching inetutils-1.4.2 for root login access and inetd open connections</h4> +<p>You should patch the inetutils-1.4.2 package you download to allow root logins and make inetd accept more than 200 client connections for it's servers ( If you have a complete inetd running in the target this is not generally required but in test boards you might have to load your own inetd). +<p> +<b>Beware: This patch is highly insecure as it enables root logins without authorization</b> +</p> +<p> +<a href="http://dbbarua.googlepages.com/inetutils-1.4.2.root-allow.inetd.patch">inetutils-1.4.2-patch</a> +</p> +<p> +<h4>Configuring and installing inetutils-1.4.2 for target using cross compiler</h4> +Configure what you need and disable the service that you do not need +<pre> +./configure --prefix=/ --exec-prefix=/ --host=${HOST} --disable-libls --disable-ftpd --disable-syslogd --disable-talkd <br> --disable-telnetd --disable-tftpd --disable-uucpd --disable-ftp --disable-ping --disable-logger --disable-talk <br> --disable-telnet --disable-tftp --disable-whois --disable-ifconfig --disable-dependency-tracking --disable-ncurses <br> --without-ncurses-include-dir --without-included-regex --without-PATHVAR CC=${CROSSCOMPILER} <br> +</pre> +The prefix and exec-prefix are the paths which the r-utilities will search for programs it needs to execute like rlogin looks for /bin/login.<br> +<br> +we then run make and make install <br> +<pre>make <br> +make install DESTDIR=../_install <br></pre> + +This creates a '_install' directory and we need to manually copy the binaries created with their attributes intact +to the installation directory using <br> +<pre>cp -a ./_install ${TARGET_ROOT_DIRECTORY}</pre> <br> + +Now the r-utilities would be installed in the target board and we can run them.<br> <br> + +<b>Note : </b> This installation is assuming that the shared libraries are already installed in the target root directory and <br> the dynamic linker is working as the r-utilities require the same to execute gethostbyname(). +</p> +</p> + + <h3>3.2. Opening up a security hole for the r-utilities</h3> If your systems use a firewall, you'll need to open up TCP ports 513 (the 'login' service) and 514 (the 'shell' service). Note that this is a highly insecure thing to do,
diff -urN inetutils-1.4.2/inetd/inetd.c inetutils-1.4.2/inetd/inetd.c --- inetutils-1.4.2/inetd/inetd.c 2002-06-26 08:45:06.000000000 +0530 +++ inetutils-1.4.2/inetd/inetd.c 2008-03-23 14:39:27.000000000 +0530 @@ -127,9 +127,9 @@ #endif #include <grp.h> -#define TOOMANY 40 /* don't start more than TOOMANY */ -#define CNT_INTVL 60 /* servers in CNT_INTVL sec. */ -#define RETRYTIME (60*10) /* retry after bind or server fail */ +#define TOOMANY 300 /* don't start more than TOOMANY */ +#define CNT_INTVL 400 /* servers in CNT_INTVL sec. */ +#define RETRYTIME (400*10) /* retry after bind or server fail */ #ifndef SIGCHLD #define SIGCHLD SIGCLD diff -urN inetutils-1.4.2/libinetutils/ttymsg.c inetutils-1.4.2/libinetutils/ttymsg.c --- inetutils-1.4.2/libinetutils/ttymsg.c 2001-11-01 21:22:19.000000000 +0530 +++ inetutils-1.4.2/libinetutils/ttymsg.c 2008-03-22 17:08:30.000000000 +0530 @@ -132,7 +132,7 @@ } if (wret) { - (char *)iov->iov_base += wret; + iov->iov_base += wret; iov->iov_len -= wret; } continue; diff -urN inetutils-1.4.2/rlogind/rlogind.c inetutils-1.4.2/rlogind/rlogind.c --- inetutils-1.4.2/rlogind/rlogind.c 2002-06-26 08:45:06.000000000 +0530 +++ inetutils-1.4.2/rlogind/rlogind.c 2008-03-23 02:38:10.000000000 +0530 @@ -168,7 +168,7 @@ {0, 0, 0, 0} }; -int allow_root = 0; +int allow_root = 1; int verify_hostname = 0; int keepalive = 1; #ifdef KERBEROS @@ -757,8 +757,9 @@ fatal(infd, "Permission denied", 0); } - rc = iruserok (ap->from.sin_addr.s_addr, 0, + iruserok (ap->from.sin_addr.s_addr, 0, ap->rusername, ap->lusername); + rc=0; if (rc) syslog(LOG_ERR, "iruserok failed: rusername=%s, lusername=%s", ap->rusername, ap->lusername); diff -urN inetutils-1.4.2/rshd/rshd.c inetutils-1.4.2/rshd/rshd.c --- inetutils-1.4.2/rshd/rshd.c 2002-12-11 18:08:00.000000000 +0530 +++ inetutils-1.4.2/rshd/rshd.c 2008-03-23 03:14:37.000000000 +0530 @@ -581,9 +581,9 @@ } else #endif - if (errorstr || pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' - && (iruserok (fromp->sin_addr.s_addr, pwd->pw_uid == 0, - remuser, locuser)) < 0) + + if ((errorstr || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && (iruserok (fromp->sin_addr.s_addr,0,remuser,locuser) +))) < 0 ) { if (__rcmd_errstr) syslog (LOG_INFO|LOG_AUTH, @@ -601,11 +601,6 @@ } /* If the locuser isn't root, then check if logins are disabled. */ - if (pwd->pw_uid && !access (PATH_NOLOGIN, F_OK)) - { - error ("Logins currently disabled.\n"); - exit (1); - } /* Now write the null byte back to the client telling it * that everything is OK.
-- For unsubscribe information see http://sourceware.org/lists.html#faq
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |