[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: TR: [Kde-games-devel] KHighscore setuid?
From:       Charles Samuels <charles () kde ! org>
Date:       2001-05-06 18:03:28
[Download RAW message or body]

On Sunday 06 May 2001 10:54 am, George Staikos wrote:
> On Sunday 06 May 2001 13:56, Charles Samuels wrote:
> \
>
> > > > So, you just use a "password" inside the game binary.  The game
> > > > binary executes the setuid thingy, gives it the password, then says
> > > > "charles got a score of 120."  The setuid thing then adds it to the
> > > > db.
> > > >
> > > > The password is gotten from the setuid thing on configure, and it's
> > > > just a random string.
> > >
> > >   And you could just strace the game and obtain the password.
> >
> > Touche... :)
> >
> > But who that knows how to use strace hasn't better things to do than
> > change their high-scores? :)
>
>    Because then they've obtained access to the setuid binary to make it do
> what they please.  This is almost identical to what I proposed except for
> that I proposed to use encryption instead of a password.  If you use
> encryption then you can't strace it.  If the permissions are set right ont
> he binaries, you can't ptrace it either, and thus can't obtain the key.
Ok, I missed that.  I'm just thinking out loud.

-Charles


-- 
Charles Samuels <charles@kde.org>
K Desktop Environment
"The people. Could you patent the sun?"
 -- Jonas E. Salk, when asked who owned the patent on his polio vaccine.

>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread]