[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: TR: [Kde-games-devel] KHighscore setuid?
From: Charles Samuels <charles () kde ! org>
Date: 2001-05-06 18:03:28
[Download RAW message or body]
On Sunday 06 May 2001 10:54 am, George Staikos wrote:
> On Sunday 06 May 2001 13:56, Charles Samuels wrote:
> \
>
> > > > So, you just use a "password" inside the game binary. The game
> > > > binary executes the setuid thingy, gives it the password, then says
> > > > "charles got a score of 120." The setuid thing then adds it to the
> > > > db.
> > > >
> > > > The password is gotten from the setuid thing on configure, and it's
> > > > just a random string.
> > >
> > > And you could just strace the game and obtain the password.
> >
> > Touche... :)
> >
> > But who that knows how to use strace hasn't better things to do than
> > change their high-scores? :)
>
> Because then they've obtained access to the setuid binary to make it do
> what they please. This is almost identical to what I proposed except for
> that I proposed to use encryption instead of a password. If you use
> encryption then you can't strace it. If the permissions are set right ont
> he binaries, you can't ptrace it either, and thus can't obtain the key.
Ok, I missed that. I'm just thinking out loud.
-Charles
--
Charles Samuels <charles@kde.org>
K Desktop Environment
"The people. Could you patent the sun?"
-- Jonas E. Salk, when asked who owned the patent on his polio vaccine.
>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic