> Vulnerable:
> Anyone who made Quake2 setuid root in order to use the svgalib software refresh.
>
> Solution:
> chmod u-s quake2, and use ref_softx instead of ref_soft.
> If you prefer console-based video, you could get GGI
> (http://synergy.caltech.edu/~ggi/), and use KGI with the SVGAlib wrapper
> (I haven't tried this).
This is not the proper solution at all. The proper solution is:
create a group for trusted people (call it trusted, or console, or
whatever)
chown root.trusted quake2
chmod 4750 quake2
quake2 is not usable in a window. It is much more proper to limit
the game to trusted people than to (essentially) remove it entirely.
There is a much more important quake2 hole. ref_gl.so requires
quake2 to be suid root (in order to initialize the 3dfx hardware), but it
/never/ gives up root, so network-related segfaults would allow remote
exploits of your machine. There are three solutions here:
- make a wrapper library for one of the relevant libraries
(libMesaGL, libvga, anything) to give up root at some appropriate time (what
a hack).
- fix libMesaGL (because this is a generic problem with all
Mesa-based 3dfx apps) to give up root immediately after initializing the
card.
- beg for David "Zoid" Kirsch (zoid@idsoftware.com, his boss is
johnc@idsoftware.com) to become security-concious. (for reference, the
original svgalib port of quake he was provided with was as secure as svgalib
games get, then he intentionally moved the vga_init call to a place after
many files are opened "so I don't get newbies complaining that they can't
open /dev/mouse.")
/NEVER/ install any game ported by David Kirsch or David Taylor in a
public setuid manner on a machine used by untrusted people. The probability
is well over 95% that root will not be given up until after almost all files
have been opened.
Greg Alexander - also <gralexan@indiana.edu> - http://sietch.home.ml.org/
----
"In Christianity neither morality nor religion come into contact with
reality at any point."
-- Friedrich Nietzsche