Subject: Re: Removing dm(1)
To: Curt Sampson <firstname.lastname@example.org>
From: Scott Reynolds <scottr@Plexus.COM>
Date: 11/19/1997 00:53:36
On Tue, 18 Nov 1997, Curt Sampson wrote:
> Why does a non-suid program need a security sweep anyway?
oh, i don't know. you've said it yourself; you can't see the security
hole, but does that mean it's not there?
> I understand that you have already come up with such a scheme; why
> don't you spell it out? Or are you trying to protract this
no, actually i was working at the time. (a novel concept, to be sure.
i'll describe it if you're interested.)
here's the solution i came up with this morning, after spending all of 5
minutes on it:
1) modify dm(8) to be a setgid-games executable, rather than setuid
2) modify any games currently setuid-games to use setgid-games instead,
for writing high score files, etc. as always, follow standard
procedures for relinquishing setid status except when accessing
3) make the games owner bin:games, mode 2550
4) make /usr/games/hide root:games, mode 750
5) ensure that no files other than game data files are writable by
group `games', particularly executables.
feel free to suggest improvements or show why it's not sufficient. (in
particular, it doesn't matter what group is used, if this use of `games'
conflicts with an existing convention.)