Date: Thu, 16 Dec 1999 13:27:15 -0500 (EST) From: Spidey <beaupran@iro.umontreal.ca> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Warner Losh <imp@village.org>, Chris England <cengland@obscurity.org>, freebsd-security@FreeBSD.ORG Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) Message-ID: <14425.12035.757889.422296@anarcat.dyndns.org> References: <199912160615.XAA69151@harmony.village.org> <Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
xsoldier was (and still is, to my knowledge) setuid root for high score thingies... This should really be suid games, at *least*. The patch fixes the exploit, not the suid bit. The AnarCat --- Big Brother told Robert Watson to write, at 09:18 of December 16: > On Wed, 15 Dec 1999, Warner Losh wrote: > > > In message <Pine.BSO.4.10.9912152030130.29021-100000@obscurity.org> Chris England writes: > > : I personally have not tested this. I'm not too big on games, but I would > > : recommend anyone who has this game installed suid-root to test the snippet > > : code against it and post the results to this list. > > > > The bugtraq guys forwarded the report to SO before they sent it to > > bugtraq. We had it fixed within a couple of hours (and it would have > > been faster if we weren't in ports freeze). > > So, I'm sorry, could you be specific here: was this problem reported to > security-officer@freebsd.org, or reported via a send-pr, or not reported > to us? > > Would it be feasible for someone to go disable setuid bits in all the > games/ tree? :-) Why was xsoldier setuid? > > Thanks, > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14425.12035.757889.422296>