Date: 08 Mar 2000 00:52:03 -0800 From: asami@freebsd.org (Satoshi - Ports Wraith - Asami) To: Kris Kennaway <kris@hub.freebsd.org> Cc: security@freebsd.org, ports@freebsd.org Subject: Re: cvs commit: ports/games/omega Makefile (fwd) Message-ID: <vqcd7p5j13g.fsf@silvia.hip.berkeley.edu> In-Reply-To: Kris Kennaway's message of "Wed, 8 Mar 2000 00:42:26 -0800 (PST)" References: <Pine.BSF.4.21.0003080033520.70163-100000@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* From: Kris Kennaway <kris@hub.freebsd.org> * I'm not going to generate a security advisory about this, but reinstall * this port if you have it. Thanks, for catching it. * In general, if you have anything installed which is setuid games on a * multiuser machine, it's a good candidate for removal (games aren't the * most securely-programmed things): * * find /usr/local/bin -user games -perm -4000 * * Ports maintainers who own such a file (please check the above!) please * make the necessary changes to install it setgid games, not setuid foo. * * A user who exploits a game binary to get the games group probably can't do * much apart from alter game score/save files (although this still might be * a security risk if you can convince the game to somehow execute code you * put in the file), whereas if they have setuid games they can trojan the * binary directly for the next user. This should not be allowed to happen. Shouldn't all binaries be installed without write permission? That's the way it is in /usr, maybe we should mandate it in /usr/local and /usr/X11R6. (Hmm, why does imake config files want to install stuff with permission *755?) Satoshi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?vqcd7p5j13g.fsf>