tech-security: Re: bin/4489: /usr/games/fish allows setuid games binaries to be created by unprivileged user

Subject: Re: bin/4489: /usr/games/fish allows setuid games binaries to be created by unprivileged user
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Simon Burge <simonb@telstra.com.au>
List: tech-security
Date: 11/19/1997 06:19:49

On Tue, 18 Nov 1997 08:23:56 -0800  Jason Thorpe wrote:

> On Tue, 18 Nov 1997 15:22:10 +0000 
>  Jon Ribbens <jon@oaktree.co.uk> wrote:
> 
>  > IMHO the 'dm' system is completely broken. Preferably it should be abandoned
>  > completely. At the least, every single game needs 'setuid(getuid())' adding.
>  > Does anybody actually use the games-restriction facilities of 'dm'?
> 
> One thing the games do use their setuid privilege for is to write high
> scores.
> 
> But, yes, the games could be made much safer, and the world would be
> a better place for it.

Would making all the score-file keeping programs setgid instead of
setuid make this safer?

Simon.