Subject: Re: bin/4489: /usr/games/fish allows setuid games binaries to be created by unprivileged user
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Eivind Eklund <perhaps@yes.no>
List: tech-security
Date: 11/18/1997 19:20:11
> 
> On Tue, 18 Nov 1997 15:22:10 +0000 
>  Jon Ribbens <jon@oaktree.co.uk> wrote:
> 
>  > IMHO the 'dm' system is completely broken. Preferably it should be abandoned
>  > completely. At the least, every single game needs 'setuid(getuid())' adding.
>  > Does anybody actually use the games-restriction facilities of 'dm'?
> 
> One thing the games do use their setuid privilege for is to write high
> scores.
> 
> But, yes, the games could be made much safer, and the world would be
> a better place for it.

Try grabbing the version in FreeBSD.  I've merged the OpenBSD changes
over to us, and there have been some other fixes done to make that
work better than OpenBSD (which I haven't had time to verify and merge
to OpenBSD yet).

The concept there is making the games setgid(), and installing
pre-created score files for those games that need that.

Grab the patches before they disappear - we're considering nuking the
games.

Eivind.