Date: Thu, 22 Nov 2001 02:48:13 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Anthony Atkielski <anthony@freebie.atkielski.com> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122024813.A24038@xor.obsecurity.org> In-Reply-To: <014201c17336$40653f90$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:15:37AM %2B0100 References: <014201c17336$40653f90$0a00000a@atkielski.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thu, Nov 22, 2001 at 10:15:37AM +0100, Anthony Atkielski wrote: > This morning I see an e-mail from the system telling me that setuid is set on > nethack, the adventure-style game that I installed recently. Why would this > game require this bit? I reset it with chmod 0544, which seems like plenty to On multiuser systems the nethack binary needs the ability to write saved games and score files, when nethack is run by a variety of different users. This is the case for a lot of games; a while back I went through and did a sweep to make sure that any games which require extra privilege for this purpose are using setgid games, not setuid anything (because the games gid only has the power to overwrite the score/save files for the games, and cannot take over any binaries directly as it could if they were setuid). Thus, it's only a marginal risk on a multiuser system (but still a slight risk, as with all binaries which execute with privilege). If you're on a single-user system then none of this should concern you anyway. If it does concern you then feel free to pkg_delete :-) Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/NfsWry0BWjoQKURAkHTAJ9kTVMSSaJDrqKOB0gMyGSoK+nVBgCgt8JQ weWg4ow4qMSzJcIM6MiRZVk= =aVwK -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011122024813.A24038>