Subject: Re: /usr/games question
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Isaac Wagner-Muns <fubar22@gmail.com>
List: netbsd-users
Date: 12/26/2006 16:23:04
--Apple-Mail-1--113976078
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
Ok, thanks for the great infos!
--Isaac
On Dec 26, 2006, at 11:02 AM, Steven M. Bellovin wrote:
> On Mon, 25 Dec 2006 14:18:15 -0600
> Isaac Wagner-Muns <fubar22@gmail.com> wrote:
>
>> can the games in /usr/games be used to compromise a system? they are
>> setuid, so i'm a little worried, and it never hurts to be
>> paranoid! :)
>>
>
> I see nothing there setuid, only setgid. That does make a difference,
> but in any event I think you're safe.
>
> setuid or setgid mean "run this program with different permissions".
> The security risk is that an attacker can then execute something else
> with those permissions.
>
> In this case a few games are setgid 'games'. This means that a flaw
> lets an attacker have permission of group 'games'. The issue is what
> rights that provides -- and the answer is "virtually none". As best I
> can tell, it lets the attacker read /usr/games/hide (empty on my
> machine).
>
> Possibly, some game creates a file that is owned by a player, but has
> group 'games' write permission. An attacker could overwrite that
> file,
> leaving in it something that would trigger a flaw in the game that
> reads it, allowing the attacker indirect access to the privileges
> of the
> user who invoked that game. It's possible, but I don't know if any of
> the games creates such files.
>
> It's good that none of the games are setuid. If they were, an
> attacker
> who gained the permissions of the game's owner could overwrite the
> game
> file that would attack whomever else invoked the game.
>
> I see no risk to the system itself except as I've just described.
>
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
! ! DANGER ! !
Do Not Look Into Laser With Remaining Eye!
--Apple-Mail-1--113976078
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><DIV>Ok, thanks for the great =
infos!</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>--Isaac</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><DIV>On Dec 26, 2006, at =
11:02 AM, Steven M. Bellovin wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">On Mon, 25 Dec 2006 14:18:15 -0600</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Isaac Wagner-Muns <<A =
href=3D"mailto:fubar22@gmail.com">fubar22@gmail.com</A>> =
wrote:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> =
<BLOCKQUOTE type=3D"cite"><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">can the games in /usr/games =
be used to compromise a system? they are <SPAN =
class=3D"Apple-converted-space">=A0</SPAN></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">setuid, =
so i'm a little worried, and it never hurts to be paranoid! :)</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV> </BLOCKQUOTE><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I see =
nothing there setuid, only setgid.<SPAN class=3D"Apple-converted-space">=A0=
</SPAN>That does make a difference,</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">but in any =
event I think you're safe.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">setuid or setgid mean "run this =
program with different permissions".</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The security =
risk is that an attacker can then execute something else</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">with those permissions.</DIV><DIV style=3D"margin-top:=
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">In this case =
a few games are setgid 'games'.<SPAN class=3D"Apple-converted-space">=A0 =
</SPAN>This means that a flaw</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">lets an =
attacker have permission of group 'games'.<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>The issue is what</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">rights that provides -- and the answer is "virtually =
none".<SPAN class=3D"Apple-converted-space">=A0 </SPAN>As best =
I</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; ">can tell, it lets the attacker read =
/usr/games/hide (empty on my</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">machine).</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Possibly, some game creates a file that is owned by =
a player, but has</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">group 'games' write =
permission.<SPAN class=3D"Apple-converted-space">=A0 </SPAN>An attacker =
could overwrite that file,</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">leaving in it =
something that would trigger a flaw in the game that</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">reads it, allowing the attacker indirect access to =
the privileges of the</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">user who invoked that =
game.<SPAN class=3D"Apple-converted-space">=A0 </SPAN>It's possible, but =
I don't know if any of</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">the games creates such =
files.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">It's good that none of the games are setuid.<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>If they were, an =
attacker</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">who gained the permissions of =
the game's owner could overwrite the game</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">file =
that would attack whomever else invoked the game.</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I see no =
risk to the system itself except as I've just described.</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN =
class=3D"Apple-tab-span" style=3D"white-space:pre"> </SPAN><SPAN =
class=3D"Apple-tab-span" style=3D"white-space:pre"> </SPAN>--Steve =
Bellovin, <A =
href=3D"http://www.cs.columbia.edu/~smb">http://www.cs.columbia.edu/~smb</=
A></DIV> </BLOCKQUOTE></DIV><BR><DIV> <SPAN class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><BR =
class=3D"Apple-interchange-newline"><SPAN class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>=A0 =A0=A0 =A0=A0 =A0=A0 =A0=A0=
=A0=A0 =A0=A0 =A0! ! DANGER ! !=A0</DIV><DIV>Do Not Look Into Laser =
With Remaining Eye!</DIV><BR =
class=3D"Apple-interchange-newline"></SPAN></SPAN> =
</DIV><BR></BODY></HTML>=
--Apple-Mail-1--113976078--