Bugtraq mailing list archives
Re: Quake 2 Linux
From: galexand () SIETCH BLOOMINGTON IN US (Greg Alexander)
Date: Tue, 27 Jan 1998 23:26:53 -0500
On Mon, 26 Jan 1998 kevingeo () CRUZIO COM wrote:
Vulnerable: Anyone who made Quake2 setuid root in order to use the svgalib software refresh. Solution: chmod u-s quake2, and use ref_softx instead of ref_soft. If you prefer console-based video, you could get GGI (http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper (I haven't tried this).
This is not the proper solution at all. The proper solution is: create a group for trusted people (call it trusted, or console, or whatever) chown root.trusted quake2 chmod 4750 quake2 quake2 is not usable in a window. It is much more proper to limit the game to trusted people than to (essentially) remove it entirely. There is a much more important quake2 hole. ref_gl.so requires quake2 to be suid root (in order to initialize the 3dfx hardware), but it /never/ gives up root, so network-related segfaults would allow remote exploits of your machine. There are three solutions here: - make a wrapper library for one of the relevant libraries (libMesaGL, libvga, anything) to give up root at some appropriate time (what a hack). - fix libMesaGL (because this is a generic problem with all Mesa-based 3dfx apps) to give up root immediately after initializing the card. - beg for David "Zoid" Kirsch (zoid () idsoftware com, his boss is johnc () idsoftware com) to become security-concious. (for reference, the original svgalib port of quake he was provided with was as secure as svgalib games get, then he intentionally moved the vga_init call to a place after many files are opened "so I don't get newbies complaining that they can't open /dev/mouse.") /NEVER/ install any game ported by David Kirsch or David Taylor in a public setuid manner on a machine used by untrusted people. The probability is well over 95% that root will not be given up until after almost all files have been opened. Greg Alexander - also <gralexan () indiana edu> - http://sietch.home.ml.org/ ---- "In Christianity neither morality nor religion come into contact with reality at any point." -- Friedrich Nietzsche
Current thread:
- Re: GCC 2.7.? /tmp files, (continued)
- Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
- pnserver exploit.. Aleph One (Jan 15)
- Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
- Re: pnserver exploit.. Donald van de Weyer (Jan 21)
- (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
- Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
- CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
- Simple OpenBSD crash script Jason Downs (Jan 25)
- Re: Simple OpenBSD crash script GvS One (Jan 28)
- Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
- Re: Quake 2 Linux Greg Alexander (Jan 27)
- Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
- Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
- Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
- KSR[T] Advisory #7: filter KSR[T] (Jan 29)
- Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
- Secure Linux patch Solar Designer (Jan 29)
- Gaining Domain Admins access on LAN (fwd) Weld Pond (Jan 28)
- GZEXE - the big problem Micha? Zalewski (Jan 28)