[net.unix-wizards] protecting games

bob%ucla-locus@sri-unix.UUCP (09/19/83)

From:            Bob English <bob@ucla-locus>

Protecting the "real" game programs and using a SUID or SGID program
to access them works just fine UNLESS the game program itself allows
the user to fork off a shell.  If that occurs, the user would
have all the permissions he needs to access the games himself
(the SGID case is particularly nasty).

In order for the Trojan Horse method to work, the permissions
needed to invoke the game must be denied to the the game itself.
The only way to do this reliably is to have a "Lose effective
u/gid on exec" function, which does not exist in v7 or 4.1bsd
(I'm not sure about later versions).

This, of course, involves changing the kernel.

--bob--

flamer@omsvax.UUCP (09/23/83)

   Why not do a setuid(getuid()) immediately after forking and before
   the exec() ?  The user in the subshell will get his own uid as the
   effective uid.  When the subshell is terminated, you're back in the
   game with the suid.

laura@utcsstat.UUCP (Laura Creighton) (09/25/83)

Why don't you just set the uid and gid bits before execl'ing the shell?

ie:

		setgid(getgid()&IDMASK);
		setuid(getuid()&IDMASK);
		execl(sh == NULL ? "/bin/sh" : sh, "sh", "-i", 0);
		perror("No shell.");
		exit(-1);

it seems a lot better than kacking your kernel.

laura creighton
utzoo!utcsstat!laura

ron%brl-vgr@sri-unix.UUCP (09/28/83)

From:      Ron Natalie <ron@brl-vgr>

The problem with doing the setuid back before doing the exec is that
then the program no longer has permission to exec the program so it
will always fail.  What the original submitter wnated was a "check
the permissions to see if it's OK to exec, then setuid back" version
of exec.

-Ron

jack@vu44.UUCP (Jack Jansen) (09/30/83)

If you don't have sources of the games, you can always
try to set the environment variable SHELL to /usr/games/SHELL,
and let that be a program that does
	main(argc,argv) char**argv;
	{
	  setuid(getuid()); setgid(getgid());
	  execv("/bin/sh",argc,argv);
	}
This way, users can get a shell, and you are protected.
(if the game understands about SHELL, of course)
	Jack Jansen, {philabs|decvax}!mcvax!vu44!jack

dav@berkeley@csuf.UUCP (10/06/83)

the problem with your suggestions of setuid before exec is that many times
the source code is not available.

			David L. Markowitz
			Rockwell International
			...!ucbvax!{ucivax,trw-unix}!csuf!dav