[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Quake No longer running for users

Pollywog <pollywog@shadypond.com> writes:

> On 02-Mar-99 Dale E. Martin wrote:
> > Make sure you check out the following link if you're going to set your
> > Quake2 binary suid root (or run it as root.)  I've set my firewall up 
> > to deal with the Quake2 exploit found here:
> > http://www.insecure.org/sploits_remote.html
> What about making squake and squake.real owned by root.games and then
> making both suid root?  Then place trusted users in the "games" group.  That
> lets me execute quake as pollywog instead of as root.
> It seems to work for me, though there might be problems later, I suppose.

If you read the link I posted, then you'll know that what you've done
(without certain precautions) allows random people on the Internet to
execute commands as "root" on your machine if you connect to Internet Q2
servers.  If you run it as yourself, then they still will be able to
execute commands as you.  It's not a matter of trusting your local users at
all.  You can avoid the problem altogether by not running Quake 2 on a
network or the Internet, or by using a firewall as described by the
referenced link.

+------------------------- pgp key available --------------------------+
| Dale E. Martin |  Clifton Labs, Inc.  |  Senior Computer Engineer    |
| dmartin@clifton-labs.com    |    http://www.clifton-labs.com         |

Reply to: