On Fri, Aug 01, 2003 at 10:24:46PM +0200, Bernd Eckenfels wrote: > DSA-360: no (daemon) > DSA-359: yes (uid root: hardware access) > DSA-358: no (kernel) > DSA-357: no (daemon) > DSA-356: yes (gid games) > DSA-355: no (web css) > DSA-354: yes (gid games) > DSA-353: no (daemon, temp file) > DSA-352: no (user, temp file) > DSA-351: no (web css) > DSA-350: yes (gid games) > DSA-349: no (daemon) > DSA-348: yes (system root tool exploit) > ... > > Looking at this statistic, it is clearly visible that most of the exploits > are game related, in fact only one system tool and one hardware accessing > 'game' would allow suid root exploits, all others are sgid games.
This only means that we have a lot of games which are setgid and give no thought to security, and that Steve Kemp has recently been rather prolifically pointing this out (and fixing the bugs). There are far too many setuid programs in Debian, especially setuid root. Many of them are in obscure packages like leksbot or atari800, and so go unnoticed for long periods of time, but anyone who unwittingly installs one of these packages has severely compromised the security of their system. Tools like dh_fixperms go a long way, by preventing maintainers from getting caught by poor upstream decisions, but I think it is critical that we have a review process before maintainers intentionally add privileged programs to their packages. > And some of the suid root stuff, like hardware acces might even require > debian to switch to some more sensible kernel setups. svgalib is a frequent offender in this department, and at this point I think that there are enough good alternatives to svgalib (which do not require root access) that we should deprecate it as a reason for making programs setuid entirely. > > + <p> > > + Since setuid and setgid programs are often a security rick, > > + you should not add any new setuid or setgid programs to > > + the distribution before this has been discussed on the > > + <em>debian-security</em> mailing list and a consensus about > > + doing that has been reached. > > + </p> > > Do we want to make an sgui games exception here? I do not think so; gid games vulnerabilities represent a legitimate security exposure. Consider that many games are careless when it comes to handling data files they have written with these privileges. If a user can write to those files, they can exploit bugs in the game in order to gain the privileges of other users who run the game. -- - mdz
