Bug#1118: fortune is setuid games ?!

To: debian-bugs@Pixar.com
Subject: Bug#1118: fortune is setuid games ?!
From: dhs@firefly.com (David H. Silber)
Date: Sun, 25 Feb 1996 12:17:32 -0500 (EST)
Message-id: <[🔎] m0tqk4j-0006QmC@firefly.firefly.com>
Reply-to: dhs@firefly.com, debian-bugs@Pixar.com

I was working on my fortune package, trying to get rid of its one-and-only
(reported) bug.  The issue is that the fortune binary is suid games.  This
is done so that only the fortune program can read the fortune databases.
The complaint was that this would allow a user of fortune to read other
files that they should not (under ordinary circumstances) have access to.
I tried to do this, but was unsuccessful.  (The fortune program refuses to
show text from a file not in the correct format.)  Since I can't find the
security hole here, I'm planning on closing out the bug report.  If anyone
can show me how to recreate the problem, or can show me how this it still
a security hole, please send e-mail.

On another related issue, I find that there does not seem to be a standard
for permissions of games programs and associated files.  I spent some time
looking under /usr/doc/dpkg, /usr/doc/debian-0.93 and http://www.debian.org/,
but was unable to find anything addressing this topic.  Do we have a
standard?  If so, where is it?

Thanks,
David

--
  David H. Silber     dhs@firefly.com     Project: Debian GNU/Linux (dbackup)
  <http://www.access.digex.net/~dhs/>     Wanted:  Spare time.

			     Programmer for hire.

Reply to:

Follow-Ups:
- Bug#1118: fortune is setuid games ?!
  - From: Ian Jackson <ian@chiark.chu.cam.ac.uk>

Prev by Date: Bug#2402: ps no longer understands `g' option
Next by Date: Bug#2406: Cannot install xpm4.7 as well as old a.out xpm shared libs
Previous by thread: Bug#2402: ps no longer understands `g' option
Next by thread: Bug#1118: fortune is setuid games ?!
Index(es):
- Date
- Thread