UNIX System Administration Handbook - Evi Nemeth [306]
Since you are distributing administrative files such as /etc/passwd, it’s pretty much a given that root access on the master server can be parlayed into root access on clients. That’s not the problem. The problem is that by running rlogind (the server for rsh and also rlogin and rcp), client machines leave themselves open to other types of attack.
Our general advice is not to run rlogind at all. If you are determined to use rdist, you should at least use Wietse Venema’s TCP wrappers package to restrict which hosts may contact each client’s rlogind. The TCP wrappers package is available from ftp.porcupine.org; more information is given on page 666.
It’s possible to run rdist as a user other than root, but rlogind must still run on each remote host. In addition, this configuration requires that software run on each client to pick up the copied-over files and install them in their final destinations, which can only be done as root. Even with these changes, it would still be easy for a nonroot intruder to submit a falsified /etc/passwd file to the remote systems. Therefore, we do not feel that nonroot rdist offers much additional security.
Red Hat and FreeBSD’s rdists allows rsh to be substituted with any other command that understands the same syntax. In practice, this means ssh, which offers two main advantages. First, ssh can use public key cryptography to verify the identity of the master host. Second, ssh encrypts the entire rdist conversation, preventing network eavesdroppers from obtaining copies of your system files. The disadvantage is that you must run the remote ssh servers in a mode that does not require a password, which is a less secure mode than we would normally recommend. See page 672 for more information about sshd and its authentication modes.
Now that we’ve belabored the perils of rdist, let’s look at how it actually works. Like make, rdist looks for a control file (Distfile or distfile) in the current directory. rdist -f distfile explicitly specifies the control file’s pathname. Within the Distfile, tabs, spaces, and newlines are used interchangeably as separators. Comments are introduced with a pound sign (#).
The meat of a Distfile consists of statements of the form
label: pathnames -> destinations commands
The label field associates a name with the statement. From the shell, you can run rdist label to distribute only the files described in a particular statement.
The pathnames and destinations are lists of files to be copied and hosts to copy them to, respectively. If there is more than one entry in a list, it must be surrounded with parentheses and the elements must be separated with whitespace. The pathnames can include shell-style globbing characters (e.g., /usr/man/man[123] or /usr/lib/*). The notation ~user is also acceptable, but it is evaluated separately on the source and destination machines.
By default, rdist copies the files and directories listed in pathnames to the equivalent paths on each destination machine. You can modify this behavior by supplying a sequence of commands. Terminate each command with a semicolon.
The following commands are understood:
install options [destdir];
notify namelist;
except pathlist;
except_pat patternlist;
special [pathlist] string;
The install command sets options that affect the way rdist copies files. Options typically control the treatment of symbolic links, the correctness of rdist’s difference-checking algorithm, and the way that deletions are handled. Options are specified differently on different systems and are not explained here in detail; check your man pages for more information.
The name “install” is somewhat misleading, since files are copied whether or not an install command is present. Options are specified as they would be on the rdist command line, but when included in the Distfile they apply to only one set of files.
The optional destdir specifies an installation directory