Bug#1118: fortune is setuid games ?!
I was working on my fortune package, trying to get rid of its one-and-only
(reported) bug. The issue is that the fortune binary is suid games. This
is done so that only the fortune program can read the fortune databases.
The complaint was that this would allow a user of fortune to read other
files that they should not (under ordinary circumstances) have access to.
I tried to do this, but was unsuccessful. (The fortune program refuses to
show text from a file not in the correct format.) Since I can't find the
security hole here, I'm planning on closing out the bug report. If anyone
can show me how to recreate the problem, or can show me how this it still
a security hole, please send e-mail.
On another related issue, I find that there does not seem to be a standard
for permissions of games programs and associated files. I spent some time
looking under /usr/doc/dpkg, /usr/doc/debian-0.93 and http://www.debian.org/,
but was unable to find anything addressing this topic. Do we have a
standard? If so, where is it?
David H. Silber firstname.lastname@example.org Project: Debian GNU/Linux (dbackup)
<http://www.access.digex.net/~dhs/> Wanted: Spare time.
Programmer for hire.