On Tue, 18 Nov 1997, Curt Sampson wrote:

> Why does a non-suid program need a security sweep anyway?

oh, i don't know.  you've said it yourself; you can't see the security
hole, but does that mean it's not there?

> I understand that you have already come up with such a scheme; why
> don't you spell it out? Or are you trying to protract this
> thread/argument/whatever?

no, actually i was working at the time.  (a novel concept, to be sure.
i'll describe it if you're interested.)

here's the solution i came up with this morning, after spending all of 5
minutes on it:

1) modify dm(8) to be a setgid-games executable, rather than setuid
2) modify any games currently setuid-games to use setgid-games instead,
   for writing high score files, etc.  as always, follow standard
   procedures for relinquishing setid status except when accessing
   privileged data.
3) make the games owner bin:games, mode 2550
4) make /usr/games/hide root:games, mode 750
5) ensure that no files other than game data files are writable by
   group `games', particularly executables.

feel free to suggest improvements or show why it's not sufficient.  (in
particular, it doesn't matter what group is used, if this use of `games'
conflicts with an existing convention.)

--scott