Subject: Re: Removing dm(1)
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Todd Vierling <tv@NetBSD.ORG>
List: tech-security
Date: 11/18/1997 19:43:53
On Tue, 18 Nov 1997, Jason Thorpe wrote:

:  > This was already explained in detail. Set your screen height to 25
:  > or less, run /usr/games/fish, ask for instructions, and then spawn
:  > a subshell from the more(1) that displays the instructions. You
:  > are now the games user, and can replace any game you like with a
:  > trojan with the same functionality, but that also squirrels away
:  > a copy of /bin/sh suid to user running it, or does whatever else
:  > you like as that user running it. Do this with fortune(6), for
:  > example, and you nail some users (such as me) every time they log in.
:  
: Ah, thank you.  I was hoping this is what you'd tell me.  Basically,
: now I can give you an example of significant functionality that
: dm(8) provides...

Why are we using setuid instead of setgid, anyhow?  Setgid has less inherent
security risk, if all the programs are owned by root and nothing is group
writable.  This would, temporarily at least, reduce the security risk to
something more manageable in the meantime.  Trojan programs would not be
installable in place of the real programs.  /var/games, for high scores,
could be mode 770, with created files being mode 0660.

: Curt: I suggest you edit /etc/dm.conf to disallow games that spawn pagers
: until this issue is dealt with.  :-)

We still need to worry about strcat(), sprintf(), and the other usual buffer
overflowable calls. 

=====
== Todd Vierling (Personal tv@pobox.com; Business tv@lucent.com)
== So you know what, Mikey?  Go to bed.