tech-security: Re: /usr/games - group writable or not?

Subject: Re: /usr/games - group writable or not?
To: Jon Ribbens <jon@oaktree.co.uk>
From: Darren Reed <darrenr@cyber.com.au>
List: tech-security
Date: 11/20/1997 02:30:38

In some mail I received from Jon Ribbens, sie wrote
> 
> Bruce Barnett <barnett@grymoire.crd.ge.com> wrote:
> > >Anyway, most of the games should be easy to convert to setgid games. Just
> > >make /var/games 775, eg.
> > 
> > I disagree, and no one else has. Let me explain.
> > 
> > If the games directory is group writable, then any setgid to games
> > program could replace one of the files in this directory (a trojan
> > horse attack).
> 
> The saved games directory (/var/games) is not the same as the games
> binaries directory (/usr/games). /usr/games should be root:wheel 755.
> /var/games should be root:games 775.

I think a liberal application of the immutable bit would stop trojans
being inserted.