Subject: Re: Removing dm(1)
To: Jon Ribbens , Jason Thorpe <>
From: Brian Buhrow <>
List: current-users
Date: 11/18/1997 16:14:18
	Is there something about fortune I don't understand?  The old version
of fortune that I used to see had to be setuid to the games  uid because it
wanted to write to its random number seed generator.  I have a version that
writes nothing, so doesn't need a setuid bit of any kind.  Is this the one
distributed in the NetBSD sources, or is that one still setuid to games and
scribbling away each time a user uses  it?

On Nov 18,  7:05pm, Jon Ribbens wrote:
} Subject: Re: Removing dm(1)
} Jason Thorpe <> wrote:
} > Care to explain this in real detail?  How does the fact that a program
} > runs setuid "games" (which gives it permission to write high scores
} > files, among other things) allow me to access the account of any user
} > that runs a game?
} > 
} > The fact that a user has an euid of "games" gives them nothing more
} > than the ability to run the games otherwise controlled by dm, and
} > write high scores files.  Worrying about whether or not a user has
} > critical files writable by "games" is like worrying whether or not
} > that user has critical files writable by "nobody", in my mind.
} > 
} > If I have missed some important details, please enlighten me.  But
} > I'm not interested in rhetoric.
} The really, really important detail you have missed is that being
} user 'games' allows you to write to the games binaries. It would be
} the work of a few seconds to replace all the games by programs which
} create a setuid shell somewhere and then run the original binary.
} What is arguably even more important about this is that some things
} which people don't think of as 'games' are run by 'dm' - e.g. 'fortune'.
} I have seen more than one system where fortune is run on login. Next
} time root logs in - bang.
} Cheers
} Jon
} ____
} \  //    Jon Ribbens    // 100MB virtual-hosted //
}  \// //  web space for 99UKP //
>-- End of excerpt from Jon Ribbens