Re: setuid/setgid binaries contained in the Debian repository.
On Mon, Aug 11, 2003 at 10:56:50AM +0200, Emile van Bergen wrote:
> A more unix-like approach would therefore be to create a separate uid
> for each game, and use a wrapper for each game that's suid to the game's
> uid and executable only by gid games. This wrapper would, clean the
> environment and run the game, passing the uid of the invoking user as
> simple command line or environment information to the game. A "call
> gate" for games, so to speak.
> This way, users have no control over the process that runs the game;
> each game runs under a different uid and can have its own highscore
> file, which is guaranteed secure from other games.
> In other words, the game doesn't have to trust the user nor does it need
> to trust all other games anymore. Looks like it solves the problem.
setuid results in even more problems than setgid. Given access to the game
uid, the user can modify the wrapper program (because they own it) and from
that point forward, any user who runs the game is compromised.