Re: Vunerability in Lizards game
Kragen \ (kragen@DNACO.NET)
Thu, 13 Nov 1997 12:19:34 -0500
On Thu, 13 Nov 1997, Olaf Titz wrote:
> Use "ioperm" <URL:http://www.inka.de/~bigred/sw/ioperm.txt> to run any
> svgalib program (and more) without making them setuid. svgalib does properly
> support running with this tool for a long time now.
>
> There is no excuse at all for making any game setuid root.
Yes, but as you point out in your post, programs running with svgalib
under ioperm maintain an open fd to /dev/mem -- so if one can compromise
them, then one can get root, patch the kernel without getting root, or
whatever.
Kragen