Debian bug report logs - #1118, boring messages

Message sent to debian-devel@pixar.com:

Subject: Bug#1118: fortune is setuid games ?!
Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Wed, 19 Jul 1995 10:33:10 GMT
Resent-Message-ID: <debian-bugs-handler.1118.071910243128005@pixar.com>
Message-Id: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
Date: Tue, 18 Jul 95 20:20 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>

Package: fortune
Version: 2.1-1

The binary /usr/games/fortune is setuid games, and is willing use its
privelige to read fortune files in arbitrary directories.  It is
probably possible to trick it into spouting out bits of other
read-protected files belonging to `games'.

Many of the /usr/lib/games/fortune/* files are only readable by user
`games'.

IMO the setuid should be removed, the files made world-readable, and
/usr/games/fortune and all the fortune files be made owned by
root.root as per the packaging Guidelines.

(If we decide to do this then we can change the uid of the `games'
group because nothing is using it any more.  If necessary we could use
a `find' script to change any residual files.)

Ian.

Message sent:

From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#1118: Acknowledgement (was: fortune is setuid games ?!)
In-Reply-To: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
References: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>

Thank you for the problem report you have sent regarding Debian GNU/Linux.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.

If you wish to submit further information on your problem, please send
it to debian-bugs@pixar.com, but please ensure that the Subject
line of your message starts with "Bug#1118" or "Re: Bug#1118" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)

Message sent to debian-devel@pixar.com:

Subject: Bug#1118: fortune is setuid games ?!
Reply-To: Ralf Baechle <ralf@waldorf-gmbh.de>, debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: Ralf Baechle <ralf@waldorf-gmbh.de>
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Wed, 19 Jul 1995 21:18:02 GMT
Resent-Message-ID: <debian-bugs-handler.1118.071921100216687@pixar.com>
From: Ralf Baechle <ralf@waldorf-gmbh.de>
Message-Id: <199507192108.XAA27676@scotty.waldorf-gmbh.de>
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Wed, 19 Jul 1995 23:08:28 +0200 (MET DST)
In-Reply-To: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk> from "Ian Jackson" at Jul 18, 95 08:20:00 pm
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Length: 971

Hi,

> The binary /usr/games/fortune is setuid games, and is willing use its
> privelige to read fortune files in arbitrary directories.  It is
> probably possible to trick it into spouting out bits of other
> read-protected files belonging to `games'.
>
> Many of the /usr/lib/games/fortune/* files are only readable by user
> `games'.
>
> IMO the setuid should be removed, the files made world-readable, and
> /usr/games/fortune and all the fortune files be made owned by
> root.root as per the packaging Guidelines.
>
> (If we decide to do this then we can change the uid of the `games'
> group because nothing is using it any more.  If necessary we could use
> a `find' script to change any residual files.)

I didn't check this extra for Debian but there are some programs line
xtetris that should in my opinion setuid or setgid so that only the
game may write to the highscore file.  Just a fact that I disliked in
other distributions.

Happy hacking,

   Ralf

Message sent:

From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: Ralf Baechle <ralf@waldorf-gmbh.de>
Subject: Bug#1118: Info received (was Bug#1118: fortune is setuid games ?!)
In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de>
References: <199507192108.XAA27676@scotty.waldorf-gmbh.de>

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developers to
accompany the original report.

If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#1118" or "Re: Bug#1118" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)

Message sent to debian-devel@pixar.com:

Subject: Bug#1118: fortune is setuid games ?!
Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Thu, 20 Jul 1995 20:33:01 GMT
Resent-Message-ID: <debian-bugs-handler.1118.07202028524341@pixar.com>
X-Debian-PR-Package: fortune
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Thu, 20 Jul 1995 20:33:01 GMT
Received: with rfc822 via encapsulated-mail id 07202028524341;
          Thu, 20 Jul 1995 20:28:53 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0sZ2BR-000AC2C; Thu, 20 Jul 95 13:27 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA07387
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 20 Jul 1995 13:25:22 -0700
Received: by bootes.cus.cam.ac.uk
	(Smail-3.1.29.0 #36) id m0sZ2B5-000C0YC; Thu, 20 Jul 95 21:26 BST
Received: by chiark
	id <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.32); Thu, 20 Jul 95 21:06 BST
Message-Id: <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>
Date: Thu, 20 Jul 95 21:06 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Ralf Baechle <ralf@waldorf-gmbh.de>
Cc: debian-bugs@pixar.com
In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de>
References: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
	<199507192108.XAA27676@scotty.waldorf-gmbh.de>

Ralf Baechle writes ("Re: Bug#1118: fortune is setuid games ?!"):
> I didn't check this extra for Debian but there are some programs line
> xtetris that should in my opinion setuid or setgid so that only the
> game may write to the highscore file.  Just a fact that I disliked in
> other distributions.

I presume that you mean that you disliked the other distributions for
having world-writeable or broken score files.

We should add something to the Guidelines saying that games that need
to write score files, game save files, &c may use the `games' group
(which should be created, of course).

Ian.

Message sent:

From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#1118: Info received (was Bug#1118: fortune is setuid games ?!)
In-Reply-To: <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>
References: <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developers to
accompany the original report.

If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#1118" or "Re: Bug#1118" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)

Ian Jackson / iwj10@thor.cam.ac.uk, with the debian-bugs tracking mechanism

This page last modified 07:43:01 GMT Wed 01 Nov