From owner-freebsd-questions Thu Nov 22 2:48:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-165-226-105.dsl.lsan03.pacbell.net [64.165.226.105]) by hub.freebsd.org (Postfix) with ESMTP id 92F8937B418; Thu, 22 Nov 2001 02:48:13 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4024D66B27; Thu, 22 Nov 2001 02:48:13 -0800 (PST) Date: Thu, 22 Nov 2001 02:48:13 -0800 From: Kris Kennaway To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122024813.A24038@xor.obsecurity.org> References: <014201c17336$40653f90$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <014201c17336$40653f90$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 10:15:37AM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 22, 2001 at 10:15:37AM +0100, Anthony Atkielski wrote: > This morning I see an e-mail from the system telling me that setuid is set on > nethack, the adventure-style game that I installed recently. Why would this > game require this bit? I reset it with chmod 0544, which seems like plenty to On multiuser systems the nethack binary needs the ability to write saved games and score files, when nethack is run by a variety of different users. This is the case for a lot of games; a while back I went through and did a sweep to make sure that any games which require extra privilege for this purpose are using setgid games, not setuid anything (because the games gid only has the power to overwrite the score/save files for the games, and cannot take over any binaries directly as it could if they were setuid). Thus, it's only a marginal risk on a multiuser system (but still a slight risk, as with all binaries which execute with privilege). If you're on a single-user system then none of this should concern you anyway. If it does concern you then feel free to pkg_delete :-) Kris --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7/NfsWry0BWjoQKURAkHTAJ9kTVMSSaJDrqKOB0gMyGSoK+nVBgCgt8JQ weWg4ow4qMSzJcIM6MiRZVk= =aVwK -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message