Script to eliminate files .rlogin

nena_redbalon · June 24, 2011, 12:28pm

Hi guys, I'm try making to script for eliminate files rlogins.

path1='/home/*'
for i in `cat /etc/passwd |awk -F: '{print $6}'`; do
    if test "$i" = "$path1"; then
    echo $i
    cd $i
         if [ -f .rhosts ]; then
               echo "$i/.rhosts detectado"|mail -s "rhosts" root
               rm -f $i/.rhosts
          fi
     fi
done

I want my script only check users with path in /home/, but the symbol "" is not working.

As I can do to make the command "test" compare the path "$ i" with a path / home / * (ie / home / all users)

Any suggestions?

Thank!

nena.

Corona688 · June 24, 2011, 12:33pm

doesn't work in quotes. Even if it did, that's probably not where you'd want to put it.

You also have several useless uses of cat and backticks.

You don't need to cd into each and every individual home directory either. And if you do, you should really cd back out after, or you won't be able to cd into anything else under /home/ after. If you're going to use awk, you might as well check for /home inside it too.

awk -v FS=':' '($6 ~ /^\/home/)' < /etc/passwd | 
while read USERNAME G G G G H G
do
        if [ -f "$H/.rhosts ]
        then
                echo "$H/.rhosts detectado" | mail -s "rhosts" root
                rm -f "$H/.rhosts"
        fi
done

DGPickett · June 24, 2011, 12:39pm

*?[0-9] will not glob inside any sort of quotes (or if there is no compatible target, the globbing characters persist). test = does not glob BTW, [ is test is a shell builtin for more advanced shells.

Why not simplify:

 
for f in /home/*/.rhosts
do
 if [ "$f" = "/home/*/.rhosts" ]
 then
  exit
 fi
 
 ....
done

methyl · June 24, 2011, 12:46pm

A parody of your script but using grep in a pipeline to select lines starting with /home/ . Using "while read" avoids the "for .... in open-ended-list" syntax which is notorious for generating command lines which are too long.

awk -F: '{print $6}' /etc/passwd | grep "^\/home\/" | while read home_dir
do
         if [ -f ${home_dir}/.rhosts ]; then
               echo "${home_dir}/.rhosts detectado"|mail -s "rhosts" root
               rm -f ${home_dir}/.rhosts
          fi
done

nena_redbalon · June 24, 2011, 12:48pm

Hey thanks!!!!

  
#!/bin/sh

for H in /home/*
do
        if [ -f "$H/.rhosts" ];
        then
                echo "$H/.rhosts detectado"|mail -s "rhosts" root
                rm -f $H/.rhosts
        fi
done

DGPickett · June 24, 2011, 12:55pm

.shosts for ssh has a similar layout, but I am not sure it does much, since for the good life you need to make and distribute keys, but you might just rename them .shosts or .rhosts_not_allowed.

As prevention, on all accounts, why not put a root owned file readable not writable at the original .rhosts name with a message inside.

methyl · June 24, 2011, 1:22pm

@DGPickett
Permissions 600 and owner "root" are correct and preferred permissions for all ".rhosts" files.

frankkoenen · June 24, 2011, 1:26pm

Hey there. I believe the script loop you presented can be quickly accomplished with two "find" commands ....

find /home -maxdepth 2 -name '.rhosts' | xargs mail -s "rhosts" root
find /home -maxdepth 2 -name '.rhosts' | xargs rm -f

DGPickett · June 24, 2011, 3:19pm

What about if root owns it and it is 444 and inside says "# Do not use .rhosts -- SysAdmin" Can the user rename it or change the permissions? My .rhost files were all owned by me, but I do recall permissions were critical.

Of course, everyone can have the same inode.

If you remove it, they can add it back. An ounce of prevention.

Corona688 · June 24, 2011, 3:25pm

They can do better than that, they can delete the thing, since that's controlled by directory permissions, not file permissions.

DGPickett · June 24, 2011, 3:43pm

And then the user cannot add a file to their home dir ?

methyl · June 24, 2011, 7:50pm

On most systems the .rhosts will not work at all unless the permissions are 600 (and owned by root or the particular user).

DGPickett · June 27, 2011, 3:45pm

Right, so to prevent, do not have 600, have 444 and root ownership so user cannot remove.

neutronscott · June 27, 2011, 4:06pm

Isn't there a command line option to rlogind to just disable .rhosts? My man page suggests -l does it.

DGPickett · June 27, 2011, 4:27pm

There are controls for rlogind, varies by OS, but security auditors have no brain or trust, just a check list, which is why putting a fake one in place as permanent prevention, while much better than daily/hourly scans, is less acceptable in practice.

They should audit for rlogind being removed, and all the r commands like that, forcing use of ssh2, preferably.