Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!emory!wa4mei!holos0!wdh
From: wdh@holos0.uucp (Weaver Hickerson)
Newsgroups: comp.unix.xenix.sco
Subject: Re: WARNING: SCO-Xenix game "hack", setuid root
Message-ID: <1991Apr23.133926.15289@holos0.uucp>
Date: 23 Apr 91 13:39:26 GMT
References: <1991Apr17.192850.10450@odbffm.incom.de> <1991Apr18.233851.29567@NCoast.ORG>
Organization: Holos Software, Inc., Atlanta, GA
Lines: 34

In article <1991Apr18.233851.29567@NCoast.ORG> allbery@ncoast.ORG (Brandon S. Allbery KB8JRR/AA) writes:
>As quoted from <1991Apr17.192850.10450@odbffm.incom.de> by oli@odbffm.incom.de (Oliver Boehmer):
>+---------------
>| When I recently went through the setuid-files on my system, I found, that
>| /usr/games/lib/hackdir/hack (the actual nethack-program) is setuid-root.
>| This version is part of SCO-XENIX Games and was installed with this 
>| permissions by the SCO-Utility custom.
>+---------------
>
>Gaaaaaaaaaaaaaaaaaaak.  I've heard of stupid security holes, but that one has
>to take the cake.
>
>++Brandon

We don't have any of the games here but, I was wondering, is it perhaps
possible that we have something like a:

switch((pid=fork()))
{
case 0:
setuid(saveduid)
exec(...)
exit(-1)

 blah blah
}
In other words, the shell escape is NOT root and never will be.  That's prolly 
the way I would do it.

Oh well, what the hack!

Weaver
-- 
-Weaver Hickerson   Voice (404) 496-1358   :  ..!edu!gatech!holos0!wdh