On Mon, 26 Jan 1998 kevingeoat_private wrote: > Vulnerable: > Anyone who made Quake2 setuid root in order to use the svgalib software refresh. > > Solution: > chmod u-s quake2, and use ref_softx instead of ref_soft. > If you prefer console-based video, you could get GGI > (http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper > (I haven't tried this). This is not the proper solution at all. The proper solution is: create a group for trusted people (call it trusted, or console, or whatever) chown root.trusted quake2 chmod 4750 quake2 quake2 is not usable in a window. It is much more proper to limit the game to trusted people than to (essentially) remove it entirely. There is a much more important quake2 hole. ref_gl.so requires quake2 to be suid root (in order to initialize the 3dfx hardware), but it /never/ gives up root, so network-related segfaults would allow remote exploits of your machine. There are three solutions here: - make a wrapper library for one of the relevant libraries (libMesaGL, libvga, anything) to give up root at some appropriate time (what a hack). - fix libMesaGL (because this is a generic problem with all Mesa-based 3dfx apps) to give up root immediately after initializing the card. - beg for David "Zoid" Kirsch (zoidat_private, his boss is johncat_private) to become security-concious. (for reference, the original svgalib port of quake he was provided with was as secure as svgalib games get, then he intentionally moved the vga_init call to a place after many files are opened "so I don't get newbies complaining that they can't open /dev/mouse.") /NEVER/ install any game ported by David Kirsch or David Taylor in a public setuid manner on a machine used by untrusted people. The probability is well over 95% that root will not be given up until after almost all files have been opened. Greg Alexander - also <gralexanat_private> - http://sietch.home.ml.org/ ---- "In Christianity neither morality nor religion come into contact with reality at any point." -- Friedrich Nietzsche
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:41:12 PDT