Xref: utzoo comp.unix.xenix.sco:2296 comp.unix.admin:1655
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!uupsi!sunic!news.funet.fi!news
From: pl@hakki.cs.tut.fi (Lehtinen Pertti)
Newsgroups: comp.unix.xenix.sco,comp.unix.admin,sub.security
Subject: Re: WARNING: SCO-Xenix game "hack", setuid root NO DANGER, OOOOPS
Message-ID: <1991Apr23.091314.22964@funet.fi>
Date: 23 Apr 91 09:13:14 GMT
References: <9104211024.32@rmkhome.UUCP>
Sender: news@funet.fi (#Kotilo NEWS system )
Organization: Finnish University and Research Network FUNET
Lines: 21
Nntp-Posting-Host: hakki.cs.tut.fi


From article <9104211024.32@rmkhome.UUCP>, by rmk@rmkhome.UUCP (Rick Kelly):
> In article <1991Apr18.213843.18297@odbffm.incom.de> oli@odbffm.incom.de (Oliver Boehmer) writes:
>>In <1991Apr17.192850.10450@odbffm.incom.de> oli@odbffm.incom.de (Oliver Boehmer) writes:
>>But one thing I'd really like to know: Why the &/%$"&/ is hack setuid? 
> 
> I believe that the high score file belongs to root, and can only be read by
> and written to by root.
> 

	Yes. This is usually reason for this kind of setup. 

	The main fault is, that there is no reason to have setuid root
	for this purpose. Some pseudo user and setuid to that could
	be just enough. It is always possible to cause some unwanted
	side effects, when wandering around with root.

--
pl@cs.tut.fi				! All opinions expressed above are
Pertti Lehtinen				! purely offending and in subject
Tampere University of Technology	! to change without any further
Software Systems Laboratory		! notice