Arch Linux

inetutils 1.9.1-1 still packages the 'rexecd' daemon and 'rexec' client, among other things. The problems with it are:

1. The r* family is very much obsolete. The protocols are ugly. The authentication (.rhosts) sucks. Everyone has switched to 'ssh', and those who haven't, are using 'telnet'.

2. The security problems with the r* family are well-known, but rexec is worse than the others. Instead of .rhosts, the rexec protocol uses plain-text password authentication, and the daemon only checks /etc/shadow (no PAM support).

3. The best part? 'rexecd' will happily execute your command even if you give it a wrong password.

Steps to reproduce:
1. In /etc/xinetd.conf, add "enabled = exec" for the 'exec' service.
2. Restart or SIGHUP xinetd.
3. Run `rexec -h localhost -u root -p ANYTHING id`

Example:
$ rexec -h localhost -u root -p INCORRECT id
Password incorrectuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
$

It's possible to misconfigure anything, but such components as PAM and SSHd are well-documented and obviously security-related. OTOH, rexec has no documentation at all, and simply *enabling* it exposes the system without any knowledge by the user. It is not hard to imagine a user who discovers a bunch of services under xinetd.d, enables them to try them out, then forgets them.

Suggestion: Drop rexec & rexecd. Optionally, also drop rsh/rshd and rlogin/rlogind.