Bugzilla – Bug 103186
VUL-0: Users in group "games" can become root
Last modified: 2013-01-24 15:05:01 UTC
Since Suse Linux trusts members of the group "games" more than it should, a member of this group can relatively easy become root. Since many games are installed SGID games by default, group membership is easy to gain. In order to become a member of group games you just need to exploit one of the games that is SGID by default. Certainly many of these programs were never intended to be SGID. The Tetris clone "ltris" for example will produce this behaviour: nordi@nordiputer:/tmp/ltest> HOME=/home/nordi`perl -e 'print "/"x512;'` nordi@nordiputer:/tmp/ltest> ltris LTris 1.0.10 [snip....] Saving highscore chart in: /var/games/ Fatal signal: Segmentation Fault (SDL Parachute Deployed) nordi@nordiputer:/tmp/ltest> This is because ltris _trusts_ that $HOME contains meaningful data and uses fixed sized buffers. Ltris was obviously not designed to be SGID. So group "games" is easy to get. The POSTINstall script of the rpm for "methane" contains the following lines: touch /var/games/methanescores chown root:games /var/games/methanescores Since chown follows symlinks, a member of group games can chown an arbitrary file (/var/games is writable for group games). By doing this, he can for example read /etc/shadow. A very similar bug is in the POSTIN script of gnome-games (lines 36ff). The PREIN script of geki2 is also looking somewhat fishy. There is also another possibility for attack by abusing chkstat and temporary copies of secret files. On my system, I have the following files: /etc/shadow /etc/shadow.backup /etc/shadow.old /etc/shadow.YaST2save I assume /etc/shadow.YaST2save will be deleted at some time when YaST2 wants to make another copy of the shadow file. An attacker can now place a _hardlink_ to this file at /var/games/phantasia. Note that there is an entry for this file in /etc/permissions.easy! Nevertheless, chkstat will not chown/chmod this file because it has 2 hardlinks. But as soon as YaST2 removes its old backup copy, the hardlink count drops to 1. Now chkstat will make the backup copy of /etc/shadow readable to the attacker! The first possibility for attack is easily solved by changing the 3 rpms. For the second possiblity I think it is easiest to make /var/games be owned by root. Then, each package that requires scorefiles in /var/games can bring them in its rpm and chown it to group games. This way, an attacker cannot play hardlink/symlink games in /var/games any longer and it will also work against the first attack.
Well spotted! It proves once again that there is no such thing as an innocent s bit. We'll have to update the permissions and filesystem packages to change /var/games to root:root 755 as well as any other package that has a group games writeable directory.
xsok contains /var/games/xsok which is group writeable as well and contains files that are changed by the permissions package. That one has to be root:root as well.
After talking with mls we came to the conclusion to fix it the following way: - /var/games will be root:root 755 - games should not use world or group writeable directories - rpms need to have highscore files as %ghost and create them with test -e /var/games/foo || \ install -m 664 -o root -g games /dev/null /var/games/foo - install will be patched to be less racy (ie use fchown). for released distro we need to update permissions and filesystem to change /var/games to root:root 755. Since that may break stuff we will first test the change with 10.0.
Ok, discussed again. If the highscore file doesn't change it's md5sum in the rpm (e.g. because its initially always zero) the preferred way to package it is %verify(not md5 size mtime) %config(noreplace) %attr(664,root,games) /var/games/foo
Maintenance-Tracker-2408 Will update permissions in sles8, permissions and xmcd in 9.0, permissions and filessytem in 9.1-9.3.
SUSE QA: After installing the maintenance update on sles8 (edeece9a87d211ef0c08ea0e95918b32, patch-10516) I have puppis:~ # grep -Er ".games.*(66|77)" /etc/permissions* /etc/permissions:/var/games/ games:games 0775 This conflicts with Comment #3!
SUSE QA: Comment #6 applies to the maintenance update for sles9 (cd99cc1034cc89ae4051288a7e0a8b21, patch-10514), too.
I think some internal discussions were not fully tracked in here. at least the STABLE permissions has this entry: ------------------------------------------------------------------- Fri Sep 30 13:28:00 CEST 2005 - lnussel@suse.de - add slashes to several directories (#103186) - change /var/games to games:games 775 again (#103186) So that it is /var/games games:games 775 appears intentional by Ludwig. Ludwig will be back on 18.10.2005 and we will wait until he is back for further discussion.
Yes, there is off-line discussion with mls missing, sorry. We determined that the previous suggestion does not fix the problem completely. We now just don't change permissions of any files below /var/games anymore. Therefore it's safe to set it back to 775. For cases where it can't be avoided to change permissions of sub*directories* of world writable directories (/usr/src/packages/*) slashes have been appended to the filenames so chkstat will fail if it finds a file instead.
packages approved
it gets worse with every try to fix it *grmpf*
new packages and patchinfos submitted
updates and advisory released
CVE-2005-3321
CVE-2005-3321: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
making a public bug