oli@odbffm.incom.de (Oliver Boehmer) (04/18/91)
Hi! When I recently went through the setuid-files on my system, I found, that /usr/games/lib/hackdir/hack (the actual nethack-program) is setuid-root. This version is part of SCO-XENIX Games and was installed with this permissions by the SCO-Utility custom. HACK x4511 root/root 1 ./usr/games/lib/hackdir/hack 01 Hack allows shell escapes and I don't have to say what this means. If it wouldn't be so serious, I'd laugh about this. But isn't it the right filename for something like that? Anyway, it's about time you go through your setuid-files find / \( -perm -4000 -o -perm -6000 \) -print oli -- Oliver Boehmer, Frankfurt, Germany oli@odbffm.incom.de +49-69-331461 (voice) +49-60-308265 (1200/2400) If God is perfect, why did He create discontinuous functions?
allbery@NCoast.ORG (Brandon S. Allbery KB8JRR/AA) (04/19/91)
As quoted from <1991Apr17.192850.10450@odbffm.incom.de> by oli@odbffm.incom.de (Oliver Boehmer): +--------------- | When I recently went through the setuid-files on my system, I found, that | /usr/games/lib/hackdir/hack (the actual nethack-program) is setuid-root. | This version is part of SCO-XENIX Games and was installed with this | permissions by the SCO-Utility custom. +--------------- Gaaaaaaaaaaaaaaaaaaak. I've heard of stupid security holes, but that one has to take the cake. ++Brandon -- Me: Brandon S. Allbery Ham: KB8JRR/AA on 2m, 220, 440, 1200 Internet: allbery@NCoast.ORG (QRT on HF until local problems fixed) America OnLine: KB8JRR // Delphi: ALLBERY AMPR: kb8jrr.AmPR.ORG [44.70.4.88] uunet!usenet.ins.cwru.edu!ncoast!allbery KB8JRR @ WA8BXN.OH
craig@bacchus.esa.oz.au (Craig Macbride) (04/19/91)
In <1991Apr17.192850.10450@odbffm.incom.de> oli@odbffm.incom.de (Oliver Boehmer) writes: >HACK x4511 root/root 1 ./usr/games/lib/hackdir/hack 01 >Hack allows shell escapes and I don't have to say what this means. >If it wouldn't be so serious, I'd laugh about this. [ ... ] Serious? Unless SCO's version of hack is stupidly broken, it will setuid back to the original uid of the person running it before spawning any shells or other external programs. It needs to be setuid to something to be able to access its save files and other data files without users being able to modify them. Probably the most sensible solution is to make a user "games", make all the hack data directories owned by and accessible to this user and make hack run setuid games. Having it run as root is unnecessary but nothing to worry about so long as the program switched back to a user's real uid before execing any other program, especially sh. If SCO's hack is broken such that it keeps the new uid when running a shell escape, then whatever uid (root or games or whatever) you give it will be accessible to everyone when they do such a shell escape, and hack's data files will be able to be overwritten by any user who feels like it. (For raising their own scores, etc.) The easy solution is not to have it on at all. After all, hack's only really fun when you can alter the source and give the players a few surprises every so often! :-) _--_|\ Craig Macbride <craig@bacchus.esa.oz.au> / \ \_.--.*/ Expert Solutions Australia v -- _____________________________________________________________________________ | Craig Macbride, craig@bacchus.esa.oz.au | Hardware: | | | The parts of a computer | | Expert Solutions Australia | which you can kick! |
wdh@holos0.uucp (Weaver Hickerson) (04/23/91)
In article <1991Apr18.233851.29567@NCoast.ORG> allbery@ncoast.ORG (Brandon S. Allbery KB8JRR/AA) writes: >As quoted from <1991Apr17.192850.10450@odbffm.incom.de> by oli@odbffm.incom.de (Oliver Boehmer): >+--------------- >| When I recently went through the setuid-files on my system, I found, that >| /usr/games/lib/hackdir/hack (the actual nethack-program) is setuid-root. >| This version is part of SCO-XENIX Games and was installed with this >| permissions by the SCO-Utility custom. >+--------------- > >Gaaaaaaaaaaaaaaaaaaak. I've heard of stupid security holes, but that one has >to take the cake. > >++Brandon We don't have any of the games here but, I was wondering, is it perhaps possible that we have something like a: switch((pid=fork())) { case 0: setuid(saveduid) exec(...) exit(-1) blah blah } In other words, the shell escape is NOT root and never will be. That's prolly the way I would do it. Oh well, what the hack! Weaver -- -Weaver Hickerson Voice (404) 496-1358 : ..!edu!gatech!holos0!wdh