On Thu, Oct 30, 2014 at 04:40:57PM +0000, David Holland wrote: > > } > > } Module Name: src > > } Committed By: dholland > > } Date: Thu Oct 30 06:13:50 UTC 2014 > > } > > } Modified Files: > > } src/usr.bin/rsh: rsh.c > > } > > } Log Message: > > } Drop setuid before execing rlogin. Failure to do so should be > > } harmless, but is sloppy. > > > > Uh... > > > > -r-xr-xr-x 1 root wheel 16303 Sep 18 17:35 /usr/bin/rsh* > > -r-sr-xr-x 1 root wheel 16169 Sep 11 04:45 /bin/rcmd > > It doesn't *work* if not setuid.
Although I suppose that code is outside IN_RCMD. So maybe it's useless; but on the other hand, what are the odds of someone taking the code and installing it the traditional way? Plus I'm sure the Coverity report that triggered this discussion in the first place thought the code was running setuid. -- David A. Holland dholl...@netbsd.org