Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz@debian.org>
Date: Sat, 2 Aug 2003 13:19:41 -0400
Message-id: <[🔎] 20030802171941.GA24128@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030801202446.GA3867@lina.inka.de>
References: <[🔎] 20030801160453.GH15502@alcor.net> <[🔎] 20030801174648.GA17424@dragon.kitenet.net> <[🔎] 20030801202446.GA3867@lina.inka.de>

On Fri, Aug 01, 2003 at 10:24:46PM +0200, Bernd Eckenfels wrote:

> DSA-360:  no  (daemon)
> DSA-359:  yes (uid root: hardware access)
> DSA-358:  no  (kernel)
> DSA-357:  no  (daemon)
> DSA-356:  yes (gid games)
> DSA-355:  no  (web css)
> DSA-354:  yes (gid games)
> DSA-353:  no  (daemon, temp file)
> DSA-352:  no  (user, temp file)
> DSA-351:  no  (web css)
> DSA-350:  yes (gid games)
> DSA-349:  no  (daemon)
> DSA-348:  yes (system root tool exploit)
> ...
> 
> Looking at this statistic, it is clearly visible that most of the exploits
> are game related, in fact only one system tool and one hardware accessing
> 'game' would allow suid root exploits, all others are sgid games.

This only means that we have a lot of games which are setgid and give no
thought to security, and that Steve Kemp has recently been rather
prolifically pointing this out (and fixing the bugs).

There are far too many setuid programs in Debian, especially setuid root.
Many of them are in obscure packages like leksbot or atari800, and so go
unnoticed for long periods of time, but anyone who unwittingly installs one
of these packages has severely compromised the security of their system.
Tools like dh_fixperms go a long way, by preventing maintainers from getting
caught by poor upstream decisions, but I think it is critical that we have a
review process before maintainers intentionally add privileged programs to
their packages.

> And some of the suid root stuff, like hardware acces might even require
> debian to switch to some more sensible kernel setups.

svgalib is a frequent offender in this department, and at this point I think
that there are enough good alternatives to svgalib (which do not require
root access) that we should deprecate it as a reason for making programs
setuid entirely.

> > +        <p>
> > +          Since setuid and setgid programs are often a security rick,
> > +          you should not add any new setuid or setgid programs to
> > +          the distribution before this has been discussed on the
> > +          <em>debian-security</em> mailing list and a consensus about
> > +          doing that has been reached.
> > +        </p>
> 
> Do we want to make an sgui games exception here?

I do not think so; gid games vulnerabilities represent a legitimate security
exposure.  Consider that many games are careless when it comes to handling
data files they have written with these privileges.  If a user can write to
those files, they can exploit bugs in the game in order to gain the
privileges of other users who run the game.

-- 
 - mdz

Reply to:

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Bernd Eckenfels <lists@lina.inka.de>

Prev by Date: Bug#203905: ITP: tkeca -- Tcl/Tk-based GUI for Ecasound
Next by Date: Re: Aaargh!
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread