Debian bug report logs - #1118 fortune is setuid games ?! Package: fortune ; Reported by: iwj10@cus.cam.ac.uk (Ian Jackson); 104 days old . ----------------------------------------------------------------------- Message received at debian-bugs: From cus.cam.ac.uk!iwj10 Thu Jul 20 13:27:06 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sZ2BR-000AC2C; Thu, 20 Jul 95 13:27 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA07387 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 20 Jul 1995 13:25:22 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0sZ2B5-000C0YC; Thu, 20 Jul 95 21:26 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.32); Thu, 20 Jul 95 21:06 BST Message-Id: Date: Thu, 20 Jul 95 21:06 BST From: iwj10@cus.cam.ac.uk (Ian Jackson) To: Ralf Baechle Cc: debian-bugs@pixar.com Subject: Re: Bug#1118: fortune is setuid games ?! In-Reply-To: <199507192108.XAA27676@scotty.waldorf-gmbh.de> References: <199507192108.XAA27676@scotty.waldorf-gmbh.de> Ralf Baechle writes ("Re: Bug#1118: fortune is setuid games ?!"): > I didn't check this extra for Debian but there are some programs line > xtetris that should in my opinion setuid or setgid so that only the > game may write to the highscore file. Just a fact that I disliked in > other distributions. I presume that you mean that you disliked the other distributions for having world-writeable or broken score files. We should add something to the Guidelines saying that games that need to write score files, game save files, &c may use the `games' group (which should be created, of course). Ian. ----------------------------------------------------------------------- Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson) : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1118 ; Package fortune . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From waldorf-gmbh.de!ralf Wed Jul 19 14:08:56 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sYgMR-0005kyC; Wed, 19 Jul 95 14:08 PDT Received: from relay.xlink.net by pixar.com with SMTP id AA03552 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 14:07:19 -0700 Received: from scotty.waldorf-gmbh.de by relay.xlink.net id <31351-0@relay.xlink.net>; Wed, 19 Jul 1995 23:08:02 +0000 From: Ralf Baechle Message-Id: <199507192108.XAA27676@scotty.waldorf-gmbh.de> Received: from localhost by scotty.waldorf-gmbh.de (8.6.4/WE-1.0.1) id XAA27676; Wed, 19 Jul 1995 23:08:30 +0200 Subject: Re: Bug#1118: fortune is setuid games ?! To: iwj10@cus.cam.ac.uk, debian-bugs@pixar.com Date: Wed, 19 Jul 1995 23:08:28 +0200 (MET DST) In-Reply-To: from "Ian Jackson" at Jul 18, 95 08:20:00 pm Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Length: 971 Hi, > The binary /usr/games/fortune is setuid games, and is willing use its > privelige to read fortune files in arbitrary directories. It is > probably possible to trick it into spouting out bits of other > read-protected files belonging to `games'. > > Many of the /usr/lib/games/fortune/* files are only readable by user > `games'. > > IMO the setuid should be removed, the files made world-readable, and > /usr/games/fortune and all the fortune files be made owned by > root.root as per the packaging Guidelines. > > (If we decide to do this then we can change the uid of the `games' > group because nothing is using it any more. If necessary we could use > a `find' script to change any residual files.) I didn't check this extra for Debian but there are some programs line xtetris that should in my opinion setuid or setgid so that only the game may write to the highscore file. Just a fact that I disliked in other distributions. Happy hacking, Ralf ----------------------------------------------------------------------- Acknowledgement sent to Ralf Baechle : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1118 ; Package fortune . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From cus.cam.ac.uk!iwj10 Wed Jul 19 03:22:23 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sYWGl-000651C; Wed, 19 Jul 95 03:22 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA04361 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 19 Jul 1995 03:20:49 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0sYWGe-000C0JC; Wed, 19 Jul 95 11:22 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.32); Tue, 18 Jul 95 20:20 BST Message-Id: Date: Tue, 18 Jul 95 20:20 BST From: iwj10@cus.cam.ac.uk (Ian Jackson) To: Debian bugs submission address Subject: fortune is setuid games ?! Package: fortune Version: 2.1-1 The binary /usr/games/fortune is setuid games, and is willing use its privelige to read fortune files in arbitrary directories. It is probably possible to trick it into spouting out bits of other read-protected files belonging to `games'. Many of the /usr/lib/games/fortune/* files are only readable by user `games'. IMO the setuid should be removed, the files made world-readable, and /usr/games/fortune and all the fortune files be made owned by root.root as per the packaging Guidelines. (If we decide to do this then we can change the uid of the `games' group because nothing is using it any more. If necessary we could use a `find' script to change any residual files.) Ian. ----------------------------------------------------------------------- Acknowledgement sent to iwj10@cus.cam.ac.uk (Ian Jackson) : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1118 ; Package fortune . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov