Debian bug report logs - #1118 , boring messages ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1118: fortune is setuid games ?! Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com Resent-To: debian-devel@pixar.com Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson) Resent-Sender: iwj10@cus.cam.ac.uk Resent-Date: Wed, 19 Jul 1995 10:33:10 GMT Resent-Message-ID: X-Debian-PR-Package: fortune X-Debian-PR-Keywords: Received: via spool for debian-bugs; Wed, 19 Jul 1995 10:33:10 GMT Received: with rfc822 via encapsulated-mail id 071910243128005; Wed, 19 Jul 1995 10:24:32 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sYWGl-000651C; Wed, 19 Jul 95 03:22 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA04361 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 03:20:49 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0sYWGe-000C0JC; Wed, 19 Jul 95 11:22 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.32); Tue, 18 Jul 95 20:20 BST Message-Id: Date: Tue, 18 Jul 95 20:20 BST From: iwj10@cus.cam.ac.uk (Ian Jackson) To: Debian bugs submission address Package: fortune Version: 2.1-1 The binary /usr/games/fortune is setuid games, and is willing use its privelige to read fortune files in arbitrary directories. It is probably possible to trick it into spouting out bits of other read-protected files belonging to `games'. Many of the /usr/lib/games/fortune/* files are only readable by user `games'. IMO the setuid should be removed, the files made world-readable, and /usr/games/fortune and all the fortune files be made owned by root.root as per the packaging Guidelines. (If we decide to do this then we can change the uid of the `games' group because nothing is using it any more. If necessary we could use a `find' script to change any residual files.) Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: iwj10@cus.cam.ac.uk (Ian Jackson) Subject: Bug#1118: Acknowledgement (was: fortune is setuid games ?!) In-Reply-To: References: Thank you for the problem report you have sent regarding Debian GNU/Linux. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. If you wish to submit further information on your problem, please send it to debian-bugs@pixar.com, but please ensure that the Subject line of your message starts with "Bug#1118" or "Re: Bug#1118" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1118: fortune is setuid games ?! Reply-To: Ralf Baechle , debian-bugs@pixar.com Resent-To: debian-devel@pixar.com Resent-From: Ralf Baechle Resent-Sender: iwj10@cus.cam.ac.uk Resent-Date: Wed, 19 Jul 1995 21:18:02 GMT Resent-Message-ID: X-Debian-PR-Package: fortune X-Debian-PR-Keywords: Received: via spool for debian-bugs; Wed, 19 Jul 1995 21:18:02 GMT Received: with rfc822 via encapsulated-mail id 071921100216687; Wed, 19 Jul 1995 21:10:02 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sYgMR-0005kyC; Wed, 19 Jul 95 14:08 PDT Received: from relay.xlink.net by pixar.com with SMTP id AA03552 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 14:07:19 -0700 Received: from scotty.waldorf-gmbh.de by relay.xlink.net id <31351-0@relay.xlink.net>; Wed, 19 Jul 1995 23:08:02 +0000 From: Ralf Baechle Message-Id: <199507192108.XAA27676@scotty.waldorf-gmbh.de> Received: from localhost by scotty.waldorf-gmbh.de (8.6.4/WE-1.0.1) id XAA27676; Wed, 19 Jul 1995 23:08:30 +0200 To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com Date: Wed, 19 Jul 1995 23:08:28 +0200 (MET DST) In-Reply-To: from "Ian Jackson" at Jul 18, 95 08:20:00 pm Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Length: 971 Hi, > The binary /usr/games/fortune is setuid games, and is willing use its > privelige to read fortune files in arbitrary directories. It is > probably possible to trick it into spouting out bits of other > read-protected files belonging to `games'. > > Many of the /usr/lib/games/fortune/* files are only readable by user > `games'. > > IMO the setuid should be removed, the files made world-readable, and > /usr/games/fortune and all the fortune files be made owned by > root.root as per the packaging Guidelines. > > (If we decide to do this then we can change the uid of the `games' > group because nothing is using it any more. If necessary we could use > a `find' script to change any residual files.) I didn't check this extra for Debian but there are some programs line xtetris that should in my opinion setuid or setgid so that only the game may write to the highscore file. Just a fact that I disliked in other distributions. Happy hacking, Ralf ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ralf Baechle Subject: Bug#1118: Info received (was Bug#1118: fortune is setuid games ?!) In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de> References: <199507192108.XAA27676@scotty.waldorf-gmbh.de> Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developers to accompany the original report. If you wish to continue to submit further information on your problem, please do the same thing again: send it to debian-bugs@pixar.com, ensuring that the Subject line starts with "Bug#1118" or "Re: Bug#1118" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1118: fortune is setuid games ?! Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com Resent-To: debian-devel@pixar.com Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson) Resent-Sender: iwj10@cus.cam.ac.uk Resent-Date: Thu, 20 Jul 1995 20:33:01 GMT Resent-Message-ID: X-Debian-PR-Package: fortune X-Debian-PR-Keywords: Received: via spool for debian-bugs; Thu, 20 Jul 1995 20:33:01 GMT Received: with rfc822 via encapsulated-mail id 07202028524341; Thu, 20 Jul 1995 20:28:53 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sZ2BR-000AC2C; Thu, 20 Jul 95 13:27 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA07387 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 20 Jul 1995 13:25:22 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0sZ2B5-000C0YC; Thu, 20 Jul 95 21:26 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.32); Thu, 20 Jul 95 21:06 BST Message-Id: Date: Thu, 20 Jul 95 21:06 BST From: iwj10@cus.cam.ac.uk (Ian Jackson) To: Ralf Baechle Cc: debian-bugs@pixar.com In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de> References: <199507192108.XAA27676@scotty.waldorf-gmbh.de> Ralf Baechle writes ("Re: Bug#1118: fortune is setuid games ?!"): > I didn't check this extra for Debian but there are some programs line > xtetris that should in my opinion setuid or setgid so that only the > game may write to the highscore file. Just a fact that I disliked in > other distributions. I presume that you mean that you disliked the other distributions for having world-writeable or broken score files. We should add something to the Guidelines saying that games that need to write score files, game save files, &c may use the `games' group (which should be created, of course). Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: iwj10@cus.cam.ac.uk (Ian Jackson) Subject: Bug#1118: Info received (was Bug#1118: fortune is setuid games ?!) In-Reply-To: References: Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developers to accompany the original report. If you wish to continue to submit further information on your problem, please do the same thing again: send it to debian-bugs@pixar.com, ensuring that the Subject line starts with "Bug#1118" or "Re: Bug#1118" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov