From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 09:04:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D534316A41F for ; Sun, 16 Oct 2005 09:04:47 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C76443D48 for ; Sun, 16 Oct 2005 09:04:47 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 7B2BD1A3C1C; Sun, 16 Oct 2005 02:04:47 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 448E3511FD; Sun, 16 Oct 2005 05:04:46 -0400 (EDT) Date: Sun, 16 Oct 2005 05:04:45 -0400 From: Kris Kennaway To: Jimmy Scott Message-ID: <20051016090445.GA7572@xor.obsecurity.org> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> <20051016085319.GA11795@ada.devbox.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <20051016085319.GA11795@ada.devbox.be> User-Agent: Mutt/1.4.2.1i Cc: freebsd-security@freebsd.org, Kris Kennaway , Mathieu Arnold , Stephen Major Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 09:04:47 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2005 at 10:53:19AM +0200, Jimmy Scott wrote: > On Sun, Oct 16, 2005 at 10:15:23AM +0200, Mathieu Arnold wrote: > >=20 > > +-le 16/10/2005 00:47 -0400, Kris Kennaway ?crivait : > > | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > > |> It has come to my attention that there are quite a few local exploits > > |> circling around in the private sector for GID Games. > > |>=20 > > |> =20 > > |>=20 > > |> Several of the games have vanilla stack overflows in them which can = lead to > > |> elevation of privileges if successfully exploited. > > |=20 > > | Big deal..that's why they're setgid games (which can only write to > > | game data files) and not setuid anything important :-) > >=20 > > It means that I can change my own score to something better, that's very > > important :-) >=20 > No ! It means you could access directory trees where your own group > would not have access to, for example on freeshell.org: >=20 > [sdf] ~> ls -al /usr/pkg/bin/perl = =20 > -rwx---r-x 2 root users 22246 Aug 7 11:16 /usr/pkg/bin/perl >=20 > Groups are frequently used for negative permissions, because ACL's would > be overkill or not possible on the filesystem in question. It's not overkill when the alternative is a security model that is too fragile or limited to handle your needs. Unprivileged users/groups like 'nobody' and 'games' are supposed to be unprivileged, not have extra privileges that normal users don't get, which is the case in the above misuse of groups. The solution is not to give those entities extra privileges: either use ACLs, or don't install games since they violate your intended security policy. Kris --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDUhetWry0BWjoQKURAj7SAJ4hO/kv/YpLsdEAS6Dz6oleVCX8SwCg+jvB mVl5mONeFNN0CJtaFSqacoI= =d/Ak -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0--