Re: setuid/setgid binaries contained in the Debian repository.
Matt Zimmerman <mdz@debian.org> writes:
> On Mon, Aug 11, 2003 at 04:00:40PM +0200, Emile van Bergen wrote:
>
> > On Mon, Aug 11, 2003 at 09:28:42AM -0400, Matt Zimmerman wrote:
> > > setuid results in even more problems than setgid. Given access to the
> > > game uid, the user can modify the wrapper program (because they own it)
> > > and from that point forward, any user who runs the game is compromised.
> >
> > The point is that the user doesn't get control over the game uid, because
> > the setuid + wrapper that sets the real uid, etc. provides a barrier to
> > the invoking user. We have to trust such barriers; they are required in
> > the unix design.
> >
> > If a user could make any setuid binary do arbitrary things, no matter
> > whether it's correctly written, then it's a kernel bug and we are in much,
> > much bigger trouble.
>
> I don't follow. The wrapper is running with uid games, and it exec()s the
> actual game. So the game is running with uid games, exactly as if the game
> itself were setuid, and if the game is exploited, uid games is compromised
> (and so is the wrapper).
>
> The only barrier I see is that it would clean the environment variables.
> Yes, this is a popular attack vector, but it is by no means the only one.
The wrapper couldbe setuid root and drop to game.
But I rather have some game exploits than a root exploit due to a
buggy wrapper.
MfG
Goswin
Reply to: