On Tue, 18 Nov 1997, Curt Sampson wrote:

> On Tue, 18 Nov 1997, Soren S. Jorvang wrote:
> 
> > It does not simplify the security problem, but it does removes a very
> > obsolete mechanism. Has anybody here actually used dm.conf within the last
> > n years?
> 
> It does to some degree. The fact that I can run fish and become
> the games user is directly attributable to it being run by dm;
> otherwise it would never run suid.

Not in the case of fish, but for programs that actually have a use for the
setuid bit, the danger in the ability to spawn a sub-shell is the same.

> > It also seems to me that most (all?) of the games need no more than being
> > setgid games, as all they do (apart from the game stuff) is write score
> > files to /var/games . This would also lessen the impact of security holes
> > in the games.
> 
> Yes, I think that this is an excellent idea.

Someone suggested looking at the changes made in OpenBSD and FreeBSD which
supposedly includes this, among other things.

FreeBSD (at least 2.2.5 does, and also -current from a cursory look) still
seems to use dm(8). I don't have an OpenBSD tree to check right now.

Anyway, most of the games should be easy to convert to setgid games. Just
make /var/games 775, eg.

Even if the games are limited to being setgid games, I think including
these patches (fixing buffer overruns and suchlike) would be a good thing.

For 1.3, I would prefer anything else than the current situation. A broken
(mode 555 - no score files) /usr/games would even preferable to setuid
programs that have not been checked closely for security holes.

> > While we are at the let's-remove-stuff game, would anybody miss the
> > 'ingress' and 'falken' users from the initial master.passwd?
> 
> Falken can go, I think; I doubt any of the young crackers these
> days even understand the reference.

Well, here (Denmark) there are television reruns of the movie every other
year or so. I myself was a bit too young at the time, but I have it a
couple of times since then - before forgetting about television.

> I still use ingres to own the postgres database stuff. It would be
> nice to have standardised userids for the database owner, ftp, www,
> and so on, but I don't know that the default password file is the
> best place to store this information.

Agreed.


-- 
Soren