Subject: Re: Removing dm(1)
To: Jason Thorpe <firstname.lastname@example.org>
From: Jon Ribbens <email@example.com>
Date: 11/18/1997 19:05:38
Jason Thorpe <firstname.lastname@example.org> wrote:
> Care to explain this in real detail? How does the fact that a program
> runs setuid "games" (which gives it permission to write high scores
> files, among other things) allow me to access the account of any user
> that runs a game?
> The fact that a user has an euid of "games" gives them nothing more
> than the ability to run the games otherwise controlled by dm, and
> write high scores files. Worrying about whether or not a user has
> critical files writable by "games" is like worrying whether or not
> that user has critical files writable by "nobody", in my mind.
> If I have missed some important details, please enlighten me. But
> I'm not interested in rhetoric.
The really, really important detail you have missed is that being
user 'games' allows you to write to the games binaries. It would be
the work of a few seconds to replace all the games by programs which
create a setuid shell somewhere and then run the original binary.
What is arguably even more important about this is that some things
which people don't think of as 'games' are run by 'dm' - e.g. 'fortune'.
I have seen more than one system where fortune is run on login. Next
time root logs in - bang.
\ // Jon Ribbens // 100MB virtual-hosted // www.oaktree.co.uk
\// email@example.com // web space for 99UKP //