WARNING: SCO-Xenix game "hack", setuid root

Craig Macbride craig at bacchus.esa.oz.au
Fri Apr 19 10:18:07 AEST 1991


In <1991Apr17.192850.10450 at odbffm.incom.de> oli at odbffm.incom.de (Oliver Boehmer) writes:

>HACK	x4511	root/root	1	./usr/games/lib/hackdir/hack	01
>Hack allows shell escapes and I don't have to say what this means.

>If it wouldn't be so serious, I'd laugh about this. [ ... ]

Serious? Unless SCO's version of hack is stupidly broken, it will setuid back
to the original uid of the person running it before spawning any shells or
other external programs.

It needs to be setuid to something to be able to access its save files and
other data files without users being able to modify them. Probably the most
sensible solution is to make a user "games", make all the hack data directories
owned by and accessible to this user and make hack run setuid games. Having it
run as root is unnecessary but nothing to worry about so long as the program
switched back to a user's real uid before execing any other program, especially
sh.

If SCO's hack is broken such that it keeps the new uid when running a shell
escape, then whatever uid (root or games or whatever) you give it will be
accessible to everyone when they do such a shell escape, and hack's data files
will be able to be overwritten by any user who feels like it. (For raising
their own scores, etc.)

The easy solution is not to have it on at all. After all, hack's only really
fun when you can alter the source and give the players a few surprises every
so often! :-)

 _--_|\		Craig Macbride <craig at bacchus.esa.oz.au>
/      \
\_.--.*/	Expert Solutions Australia
      v
-- 
 _____________________________________________________________________________
| Craig Macbride, craig at bacchus.esa.oz.au      | Hardware:                    |
|                                              |      The parts of a computer |
|   Expert Solutions Australia                 |        which you can kick!   | 



More information about the Comp.unix.xenix.sco mailing list