Bugtraq mailing list archives

Re: Quake 2 Linux

From: galexand () SIETCH BLOOMINGTON IN US (Greg Alexander)
Date: Tue, 27 Jan 1998 23:26:53 -0500


On Mon, 26 Jan 1998 kevingeo () CRUZIO COM wrote:

Vulnerable:
Anyone who made Quake2 setuid root in order to use the svgalib software refresh.

Solution:
chmod u-s quake2, and use ref_softx instead of ref_soft.
If you prefer console-based video, you could get GGI
(http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper
(I haven't tried this).


This is not the proper solution at all.  The proper solution is:
create a group for trusted people (call it trusted, or console, or
whatever)
chown root.trusted quake2
chmod 4750 quake2

        quake2 is not usable in a window.  It is much more proper to limit
the game to trusted people than to (essentially) remove it entirely.

        There is a much more important quake2 hole.  ref_gl.so requires
quake2 to be suid root (in order to initialize the 3dfx hardware), but it
/never/ gives up root, so network-related segfaults would allow remote
exploits of your machine.  There are three solutions here:
        - make a wrapper library for one of the relevant libraries
(libMesaGL, libvga, anything) to give up root at some appropriate time (what
a hack).
        - fix libMesaGL (because this is a generic problem with all
Mesa-based 3dfx apps) to give up root immediately after initializing the
card.
        - beg for David "Zoid" Kirsch (zoid () idsoftware com, his boss is
johnc () idsoftware com) to become security-concious.  (for reference, the
original svgalib port of quake he was provided with was as secure as svgalib
games get, then he intentionally moved the vga_init call to a place after
many files are opened "so I don't get newbies complaining that they can't
open /dev/mouse.")

        /NEVER/ install any game ported by David Kirsch or David Taylor in a
public setuid manner on a machine used by untrusted people.  The probability
is well over 95% that root will not be given up until after almost all files
have been opened.

Greg Alexander - also <gralexan () indiana edu> - http://sietch.home.ml.org/
----
"In Christianity neither morality nor religion come into contact with
reality at any point."
-- Friedrich Nietzsche

Current thread:

Re: GCC 2.7.? /tmp files, (continued)
- - - Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)
    - pnserver exploit.. Aleph One (Jan 15)
    - Re: pnserver exploit.. Angelos Karageorgiou (Jan 16)
    - Re: pnserver exploit.. Donald van de Weyer (Jan 21)
    - (AUSCERT ESB-98.009) CERT Advisory CA-98.02 - Vulnerabilities in Grant Beattie (Jan 21)
    - Q179148: Settings May Not Be Applied with URL with Short Filename Aleph One (Jan 23)
    - CDE: dtappgather on AIX Marcin Cieslak (Jan 25)
    - Simple OpenBSD crash script Jason Downs (Jan 25)
    - Re: Simple OpenBSD crash script GvS One (Jan 28)
    - Quake 2 Linux kevingeo () CRUZIO COM (Jan 25)
    - Re: Quake 2 Linux Greg Alexander (Jan 27)
    - Announcement: Phrack 52 route () RESENTMENT INFONEXUS COM (Jan 26)
    - Microsoft responds to bug in Exchange Server Tony Hagale (Jan 27)
    - Re: Announcement: Phrack 52 Olaf Kirch (Jan 28)
    - KSR[T] Advisory #7: filter KSR[T] (Jan 29)
    - Bug in IMail's pop3d32.exe RHS Linux User (Jan 29)
    - Secure Linux patch Solar Designer (Jan 29)
    - Gaining Domain Admins access on LAN (fwd) Weld Pond (Jan 28)
    - GZEXE - the big problem Micha? Zalewski (Jan 28)
  - Re: Xserver stack smashed Rahul Sahadevan (Jan 26)
  - Vulnerability in htmlscript Dennis Moore (Jan 26)

(Thread continues...)