From owner-freebsd-security@FreeBSD.ORG Sun Oct 16 09:58:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50C7B16A41F for ; Sun, 16 Oct 2005 09:58:37 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from asia.telenet-ops.be (asia.telenet-ops.be [195.130.137.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 937CA43D48 for ; Sun, 16 Oct 2005 09:58:36 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by asia.telenet-ops.be (Postfix) with SMTP id 6D66338282; Sun, 16 Oct 2005 11:58:35 +0200 (CEST) Received: from intranet.devbox.be (d54C304FE.access.telenet.be [84.195.4.254]) by asia.telenet-ops.be (Postfix) with ESMTP id F2E1E38287; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Received: from intranet.devbox.be (localhost [127.0.0.1]) by intranet.devbox.be (8.13.3/8.13.3) with ESMTP id j9G9wYwl021413; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Received: (from jimmy@localhost) by intranet.devbox.be (8.13.3/8.13.3/Submit) id j9G9wYkH004177; Sun, 16 Oct 2005 11:58:34 +0200 (CEST) Date: Sun, 16 Oct 2005 11:58:34 +0200 From: Jimmy Scott To: Kris Kennaway Message-ID: <20051016095834.GA29631@ada.devbox.be> References: <4351d9bd.6245f154.4f04.ffffb6ef@mx.gmail.com> <20051016044712.GA27867@xor.obsecurity.org> <4FB7164D6E6041F49E3BEE97@cc-126-240.int.t-online.fr> <20051016085319.GA11795@ada.devbox.be> <20051016090445.GA7572@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20051016090445.GA7572@xor.obsecurity.org> User-Agent: Mutt/1.4.2i X-PGP-KeyID: 48033D3D X-PGP-Fingerprint: 88A9 54A0 D143 A4F7 8ACA 154F 8032 D30C 4803 3D3D X-PGP-Key: http://pub.devbox.be/misc/pgp.jimmy.asc Cc: freebsd-security@freebsd.org, Mathieu Arnold , Stephen Major Subject: Re: GID Games Exploits X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 09:58:37 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 16, 2005 at 05:04:45AM -0400, Kris Kennaway wrote: >=20 > On Sun, Oct 16, 2005 at 10:53:19AM +0200, Jimmy Scott wrote: > > On Sun, Oct 16, 2005 at 10:15:23AM +0200, Mathieu Arnold wrote: > > >=20 > > > +-le 16/10/2005 00:47 -0400, Kris Kennaway ?crivait : > > > | On Sat, Oct 15, 2005 at 09:39:27PM -0700, Stephen Major wrote: > > > |> It has come to my attention that there are quite a few local explo= its > > > |> circling around in the private sector for GID Games. > > > |>=20 > > > |> =20 > > > |>=20 > > > |> Several of the games have vanilla stack overflows in them which ca= n lead to > > > |> elevation of privileges if successfully exploited. > > > |=20 > > > | Big deal..that's why they're setgid games (which can only write to > > > | game data files) and not setuid anything important :-) > > >=20 > > > It means that I can change my own score to something better, that's v= ery > > > important :-) > >=20 > > No ! It means you could access directory trees where your own group > > would not have access to, for example on freeshell.org: > >=20 > > [sdf] ~> ls -al /usr/pkg/bin/perl = =20 > > -rwx---r-x 2 root users 22246 Aug 7 11:16 /usr/pkg/bin/perl > >=20 > > Groups are frequently used for negative permissions, because ACL's would > > be overkill or not possible on the filesystem in question. >=20 > It's not overkill when the alternative is a security model that is too > fragile or limited to handle your needs. Unprivileged users/groups > like 'nobody' and 'games' are supposed to be unprivileged, not have > extra privileges that normal users don't get, which is the case in the > above misuse of groups. >=20 I agree this is not a good practice at all, but it is a lot used in environments where there are clients with no ACL support yet. Or you don't want the extra ACL support for one directory (and are aware of these risks, but people aren't; which is explained later). My point of view is "you don't have ACL's available", which is still the default as I remember. > The solution is not to give those entities extra privileges: either > use ACLs, or don't install games since they violate your intended > security policy. >=20 Your solution is correct, but it is not documented in the handbook or the security(7) manpage as I can remember, correct me if I'm wrong. > Kris --=20 People usually get what's coming to them ... unless it's been mailed. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (OpenBSD) iD8DBQFDUiRKgDLTDEgDPT0RAgZ+AJ9D7upjB6Ie2CQ3mM4Vd8H7m6BOuwCaAtpA ZmjtaS1KTM8xheqlpRvh9wE= =bm0h -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--