> 
> On Tue, 18 Nov 1997 10:37:26 -0800 (PST) 
>  Curt Sampson <cjs@portal.ca> wrote:
> 
>  > This was already explained in detail. Set your screen height to 25
>  > or less, run /usr/games/fish, ask for instructions, and then spawn
>  > a subshell from the more(1) that displays the instructions. You
>  > are now the games user, and can replace any game you like with a
>  > trojan with the same functionality, but that also squirrels away
>  > a copy of /bin/sh suid to user running it, or does whatever else
>  > you like as that user running it. Do this with fortune(6), for
>  > example, and you nail some users (such as me) every time they log in.
>  
> Ah, thank you.  I was hoping this is what you'd tell me.  Basically,
> now I can give you an example of significant functionality that
> dm(8) provides...
> 
> Curt: I suggest you edit /etc/dm.conf to disallow games that spawn pagers
> until this issue is dealt with.  :-)

NO.  This doesn't solve the problem.  The games have a lot of
different security holes; spawning pagers is just the most explicit of
these.  Games cannot be setuid with reasonable security; changing them
to setgid give some security.  They still need additional work to get
absolute security; there are some more problem spots.  I can take
those spots in private with one of the NetBSD developers if that is of
interest; personally, I'm arguing for throwing the games out of
FreeBSD for this and a couple of copyright/trademark-related reasons.

What NetBSD elect to do with the setuid/setgid problem is your
problem, but I'd be disappointed to see it just ignored (and just
disabling the games with pagers is equal to ignoring the problem).
Doing a merge wouldn't be that hard.

Eivind.