Debian bug report logs - #1118
fortune is setuid games ?!
Package: fortune; Reported by: iwj10@cus.cam.ac.uk (Ian Jackson); 104 days old.
Message received at debian-bugs:
From cus.cam.ac.uk!iwj10 Thu Jul 20 13:27:06 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sZ2BR-000AC2C; Thu, 20 Jul 95 13:27 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA07387
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 20 Jul 1995 13:25:22 -0700
Received: by bootes.cus.cam.ac.uk
(Smail-3.1.29.0 #36) id m0sZ2B5-000C0YC; Thu, 20 Jul 95 21:26 BST
Received: by chiark
id <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>
(Debian /\oo/\ Smail3.1.29.1 #29.32); Thu, 20 Jul 95 21:06 BST
Message-Id: <m0sZ1r7-0002XXZ@chiark.al.cl.cam.ac.uk>
Date: Thu, 20 Jul 95 21:06 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Ralf Baechle <ralf@waldorf-gmbh.de>
Cc: debian-bugs@pixar.com
Subject: Re: Bug#1118: fortune is setuid games ?!
In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de>
References: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
<199507192108.XAA27676@scotty.waldorf-gmbh.de>
Ralf Baechle writes ("Re: Bug#1118: fortune is setuid games ?!"):
> I didn't check this extra for Debian but there are some programs line
> xtetris that should in my opinion setuid or setgid so that only the
> game may write to the highscore file. Just a fact that I disliked in
> other distributions.
I presume that you mean that you disliked the other distributions for
having world-writeable or broken score files.
We should add something to the Guidelines saying that games that need
to write score files, game save files, &c may use the `games' group
(which should be created, of course).
Ian.
Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson):
Extra info received and forwarded.
Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1118; Package fortune.
Full text available.
Message received at debian-bugs:
From waldorf-gmbh.de!ralf Wed Jul 19 14:08:56 1995
Return-Path: <ralf@waldorf-gmbh.de>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sYgMR-0005kyC; Wed, 19 Jul 95 14:08 PDT
Received: from relay.xlink.net by pixar.com with SMTP id AA03552
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 14:07:19 -0700
Received: from scotty.waldorf-gmbh.de by relay.xlink.net
id <31351-0@relay.xlink.net>; Wed, 19 Jul 1995 23:08:02 +0000
From: Ralf Baechle <ralf@waldorf-gmbh.de>
Message-Id: <199507192108.XAA27676@scotty.waldorf-gmbh.de>
Received: from localhost by scotty.waldorf-gmbh.de (8.6.4/WE-1.0.1) id XAA27676;
Wed, 19 Jul 1995 23:08:30 +0200
Subject: Re: Bug#1118: fortune is setuid games ?!
To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com
Date: Wed, 19 Jul 1995 23:08:28 +0200 (MET DST)
In-Reply-To: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk> from "Ian Jackson" at Jul 18, 95 08:20:00 pm
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Length: 971
Hi,
> The binary /usr/games/fortune is setuid games, and is willing use its
> privelige to read fortune files in arbitrary directories. It is
> probably possible to trick it into spouting out bits of other
> read-protected files belonging to `games'.
>
> Many of the /usr/lib/games/fortune/* files are only readable by user
> `games'.
>
> IMO the setuid should be removed, the files made world-readable, and
> /usr/games/fortune and all the fortune files be made owned by
> root.root as per the packaging Guidelines.
>
> (If we decide to do this then we can change the uid of the `games'
> group because nothing is using it any more. If necessary we could use
> a `find' script to change any residual files.)
I didn't check this extra for Debian but there are some programs line
xtetris that should in my opinion setuid or setgid so that only the
game may write to the highscore file. Just a fact that I disliked in
other distributions.
Happy hacking,
Ralf
Acknowledgement sent to Ralf Baechle <ralf@waldorf-gmbh.de>:
Extra info received and forwarded.
Full text available.
Information forwarded to debian-devel@pixar.com:
Bug#1118; Package fortune.
Full text available.
Message received at debian-bugs:
From cus.cam.ac.uk!iwj10 Wed Jul 19 03:22:23 1995
Return-Path: <iwj10@cus.cam.ac.uk>
Received: from pixar.com by mongo.pixar.com with smtp
(Smail3.1.28.1 #15) id m0sYWGl-000651C; Wed, 19 Jul 95 03:22 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA04361
(5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 03:20:49 -0700
Received: by bootes.cus.cam.ac.uk
(Smail-3.1.29.0 #36) id m0sYWGe-000C0JC; Wed, 19 Jul 95 11:22 BST
Received: by chiark
id <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
(Debian /\oo/\ Smail3.1.29.1 #29.32); Tue, 18 Jul 95 20:20 BST
Message-Id: <m0sYICE-0000YDZ@chiark.al.cl.cam.ac.uk>
Date: Tue, 18 Jul 95 20:20 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>
Subject: fortune is setuid games ?!
Package: fortune
Version: 2.1-1
The binary /usr/games/fortune is setuid games, and is willing use its
privelige to read fortune files in arbitrary directories. It is
probably possible to trick it into spouting out bits of other
read-protected files belonging to `games'.
Many of the /usr/lib/games/fortune/* files are only readable by user
`games'.
IMO the setuid should be removed, the files made world-readable, and
/usr/games/fortune and all the fortune files be made owned by
root.root as per the packaging Guidelines.
(If we decide to do this then we can change the uid of the `games'
group because nothing is using it any more. If necessary we could use
a `find' script to change any residual files.)
Ian.
Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson):
New bug report received and forwarded.
Full text available.
Report forwarded to debian-devel@pixar.com:
Bug#1118; Package fortune.
Full text available.
Ian Jackson /
iwj10@thor.cam.ac.uk,
with the debian-bugs tracking mechanism