[patch] chroot-login-howto.html

["Deepak Barua" <dbbarua at gmail dot com>]

 Hi Everybody,
                       Here is a patch for the chroot-login-howto and
a patch for inetutils-1.4.2 to enable root login without password
authentication.
Thanks to dan and sunil for helping me make this possible.

Regards
Deepak

 --
 Hack Hack Hack

--- ./chroot-login-howto.html	2006-12-07 05:47:36.000000000 +0530
+++ ./chroot-login-howto.html	2008-03-23 21:55:48.000000000 +0530
@@ -207,6 +207,40 @@
 If you want to allow remote access by root (which is highly insecure, 
 but useful in limited situations, as you'll see below), add the -o option.
 
+<h3>3.1 Installing r-utilities clients and servers for a embedded target</h3>
+If you want to build the r-utilities for a bare embedded target machine with limited facilities then there are additional challenges to be faced.
+
+<h4>Patching inetutils-1.4.2 for root login access and inetd open connections</h4>
+<p>You should patch the inetutils-1.4.2 package you download to allow root logins and make inetd accept more than 200 client connections for it's servers ( If you have a complete inetd running in the target this is not generally required but in test boards you might have to load your own inetd).
+<p>
+<b>Beware: This patch is highly insecure as it enables root logins without authorization</b>
+</p>
+<p>
+<a href="http://dbbarua.googlepages.com/inetutils-1.4.2.root-allow.inetd.patch";>inetutils-1.4.2-patch</a> 
+</p>
+<p>
+<h4>Configuring and installing inetutils-1.4.2 for target using cross compiler</h4>
+Configure what you need and disable the service that you do not need 
+<pre>
+./configure --prefix=/ --exec-prefix=/ --host=${HOST} --disable-libls --disable-ftpd --disable-syslogd --disable-talkd <br> --disable-telnetd --disable-tftpd --disable-uucpd --disable-ftp --disable-ping --disable-logger --disable-talk <br> --disable-telnet --disable-tftp --disable-whois --disable-ifconfig --disable-dependency-tracking --disable-ncurses <br> --without-ncurses-include-dir --without-included-regex --without-PATHVAR CC=${CROSSCOMPILER} <br>
+</pre>
+The prefix and exec-prefix are the paths which the r-utilities will search for programs it needs to execute like rlogin looks for /bin/login.<br>
+<br>
+we then run make and make install <br>
+<pre>make <br>
+make install DESTDIR=../_install <br></pre>
+
+This creates a '_install' directory  and we need to manually copy the binaries created with their attributes intact
+to the installation directory using <br>
+<pre>cp -a ./_install ${TARGET_ROOT_DIRECTORY}</pre> <br>
+
+Now the r-utilities would be installed in the target board and we can run them.<br> <br>
+
+<b>Note : </b> This installation is assuming that the shared libraries are already installed in the target root directory and <br>  the dynamic linker is working as the r-utilities require the same to execute gethostbyname().
+</p>
+</p>
+
+
 <h3>3.2. Opening up a security hole for the r-utilities</h3>
 If your systems use a firewall, you'll need to open up TCP ports 513 (the 'login' service)
 and 514 (the 'shell' service).  Note that this is a highly insecure thing to do,

diff -urN inetutils-1.4.2/inetd/inetd.c inetutils-1.4.2/inetd/inetd.c
--- inetutils-1.4.2/inetd/inetd.c	2002-06-26 08:45:06.000000000 +0530
+++ inetutils-1.4.2/inetd/inetd.c	2008-03-23 14:39:27.000000000 +0530
@@ -127,9 +127,9 @@
 #endif
 #include <grp.h>
 
-#define	TOOMANY		40		/* don't start more than TOOMANY */
-#define	CNT_INTVL	60		/* servers in CNT_INTVL sec. */
-#define	RETRYTIME	(60*10)		/* retry after bind or server fail */
+#define	TOOMANY		300		/* don't start more than TOOMANY */
+#define	CNT_INTVL	400		/* servers in CNT_INTVL sec. */
+#define	RETRYTIME	(400*10)		/* retry after bind or server fail */
 
 #ifndef SIGCHLD
 #define SIGCHLD	SIGCLD
diff -urN inetutils-1.4.2/libinetutils/ttymsg.c inetutils-1.4.2/libinetutils/ttymsg.c
--- inetutils-1.4.2/libinetutils/ttymsg.c	2001-11-01 21:22:19.000000000 +0530
+++ inetutils-1.4.2/libinetutils/ttymsg.c	2008-03-22 17:08:30.000000000 +0530
@@ -132,7 +132,7 @@
 	    }
 	  if (wret)
 	    {
-	      (char *)iov->iov_base += wret;
+	      iov->iov_base += wret;
 	      iov->iov_len -= wret;
 	    }
 	  continue;
diff -urN inetutils-1.4.2/rlogind/rlogind.c inetutils-1.4.2/rlogind/rlogind.c
--- inetutils-1.4.2/rlogind/rlogind.c	2002-06-26 08:45:06.000000000 +0530
+++ inetutils-1.4.2/rlogind/rlogind.c	2008-03-23 02:38:10.000000000 +0530
@@ -168,7 +168,7 @@
   {0, 0, 0, 0}
 };
 
-int allow_root = 0;
+int allow_root = 1;
 int verify_hostname = 0;
 int keepalive = 1;
 #ifdef KERBEROS
@@ -757,8 +757,9 @@
       fatal(infd, "Permission denied", 0);
     }
 
-  rc = iruserok (ap->from.sin_addr.s_addr, 0,
+  iruserok (ap->from.sin_addr.s_addr, 0,
 		 ap->rusername, ap->lusername);
+  rc=0;
   if (rc)
     syslog(LOG_ERR, "iruserok failed: rusername=%s, lusername=%s",
 	   ap->rusername, ap->lusername);
diff -urN inetutils-1.4.2/rshd/rshd.c inetutils-1.4.2/rshd/rshd.c
--- inetutils-1.4.2/rshd/rshd.c	2002-12-11 18:08:00.000000000 +0530
+++ inetutils-1.4.2/rshd/rshd.c	2008-03-23 03:14:37.000000000 +0530
@@ -581,9 +581,9 @@
     }
   else
 #endif
-    if (errorstr || pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0'
-	&& (iruserok (fromp->sin_addr.s_addr, pwd->pw_uid == 0,
-		      remuser, locuser)) < 0)
+
+    if ((errorstr || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && (iruserok (fromp->sin_addr.s_addr,0,remuser,locuser)
+))) < 0 )
       {
 	if (__rcmd_errstr)
 	  syslog (LOG_INFO|LOG_AUTH,
@@ -601,11 +601,6 @@
       }
 
   /* If the locuser isn't root, then check if logins are disabled. */
-  if (pwd->pw_uid && !access (PATH_NOLOGIN, F_OK))
-    {
-      error ("Logins currently disabled.\n");
-      exit (1);
-    }
 
   /* Now write the null byte back to the client telling it
    * that everything is OK.

--
For unsubscribe information see http://sourceware.org/lists.html#faq