"on" command

[Matt Landau]

The basic problem is that rexd is too trusting about who a request is
coming from, making it trivial to masquerade as any host and (non-root)
user and execute remote commands on any machine that runs rexd.  I don't
want to provide any more details in a public forum, since there are
already too many people who know about this :-)

We fixed the problem by modifying the rexd sources so they get the host
name corresponding to the IP address of the incoming request and make sure
it's in /etc/hosts.equiv before agreeing to process the request.  This
makes on exactly as (in)secure as rsh/rlogin, which seems to be good
enough for most people's purposes.

 Matt Landau		    		Rebel without a clue.
 mlandau at bbn.com