From owner-freebsd-chat Thu Dec 2 18: 9:28 1999 Delivered-To: freebsd-chat@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 32BD014CF4; Thu, 2 Dec 1999 18:09:25 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 169021CD744; Thu, 2 Dec 1999 18:09:24 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Thu, 2 Dec 1999 18:09:24 -0800 (PST) From: Kris Kennaway To: Matthew Hunt Cc: Jason DiCioccio , chat@FreeBSD.ORG, advocacy@FreeBSD.ORG Subject: Re: Vulnerability postings.. In-Reply-To: <19991202155924.A80952@wopr.caltech.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 2 Dec 1999, Matthew Hunt wrote: > Just for the record, installing angband sgid was not a result of me > smoking crack. It is written to be installed that way, aside from the > fact that the author knows squat about security. (The source does not > ship with an install target, so I did write the code to install sgid.) > > Grepping for "uid" in the source should make it clear that set[ug]id > functionality is intended. I suspected as much, but couldn't find anything to prove it when I checked the source briefly. > As of today, the port installs non-sgid, but this requires two mode > 1777 directories, breaks the high-score file, and probably lets > players do bad things to each others' ability to play the game. Hmm. This isn't exactly a great solution either, but it's probably all you can do - I suppose it's better than the previous situation, which would give attackers all of the above plus more. I doubt there's much else we could do short of fixing the source (maybe print a warning about the above at install-time?). Thanks for jumping on this so fast.. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message