Date: Thu, 2 Dec 1999 18:09:24 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Matthew Hunt <mph@astro.caltech.edu> Cc: Jason DiCioccio <geniusj@phreebsd.org>, chat@FreeBSD.ORG, advocacy@FreeBSD.ORG Subject: Re: Vulnerability postings.. Message-ID: <Pine.BSF.4.21.9912021804240.45689-100000@hub.freebsd.org> In-Reply-To: <19991202155924.A80952@wopr.caltech.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Dec 1999, Matthew Hunt wrote: > Just for the record, installing angband sgid was not a result of me > smoking crack. It is written to be installed that way, aside from the > fact that the author knows squat about security. (The source does not > ship with an install target, so I did write the code to install sgid.) > > Grepping for "uid" in the source should make it clear that set[ug]id > functionality is intended. I suspected as much, but couldn't find anything to prove it when I checked the source briefly. > As of today, the port installs non-sgid, but this requires two mode > 1777 directories, breaks the high-score file, and probably lets > players do bad things to each others' ability to play the game. Hmm. This isn't exactly a great solution either, but it's probably all you can do - I suppose it's better than the previous situation, which would give attackers all of the above plus more. I doubt there's much else we could do short of fixing the source (maybe print a warning about the above at install-time?). Thanks for jumping on this so fast.. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9912021804240.45689-100000>