Xref: utzoo comp.unix.xenix.sco:2257 comp.unix.admin:1623
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!bionet!agate!usenet.ins.cwru.edu!ncoast!allbery
From: allbery@NCoast.ORG (Brandon S. Allbery KB8JRR/AA)
Newsgroups: comp.unix.xenix.sco,comp.unix.admin,sub.security
Subject: Re: WARNING: SCO-Xenix game "hack", setuid root
Message-ID: <1991Apr18.233851.29567@NCoast.ORG>
Date: 18 Apr 91 23:38:51 GMT
References: <1991Apr17.192850.10450@odbffm.incom.de>
Reply-To: allbery@ncoast.ORG (Brandon S. Allbery KB8JRR/AA)
Followup-To: comp.unix.xenix.sco
Organization: North Coast Public Access Un*x (ncoast)
Lines: 17

As quoted from <1991Apr17.192850.10450@odbffm.incom.de> by oli@odbffm.incom.de (Oliver Boehmer):
+---------------
| When I recently went through the setuid-files on my system, I found, that
| /usr/games/lib/hackdir/hack (the actual nethack-program) is setuid-root.
| This version is part of SCO-XENIX Games and was installed with this 
| permissions by the SCO-Utility custom.
+---------------

Gaaaaaaaaaaaaaaaaaaak.  I've heard of stupid security holes, but that one has
to take the cake.

++Brandon
-- 
Me: Brandon S. Allbery			  Ham: KB8JRR/AA on 2m, 220, 440, 1200
Internet: allbery@NCoast.ORG		(QRT on HF until local problems fixed)
America OnLine: KB8JRR // Delphi: ALLBERY   AMPR: kb8jrr.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery          KB8JRR @ WA8BXN.OH