A Chess forum. ChessBanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » ChessBanter forum » Chess Newsgroups » rec.games.chess.computer (Computer Chess)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Security advisory for Crafty 19.3



 
 
Thread Tools Display Modes
  #1  
Old August 21st 03, 05:04 PM
Anders Thulin
external usenet poster
 
Posts: n/a
Default Security advisory for Crafty 19.3


Odd -- I haven't seen a security advisory for computer chess programs before,
but someone seems to have taken the trouble to go through Crafty 19.3 carefully.

It doesn't appear to be a very critical problem, though, unless someone runs
Crafty with suid/sgid bits (or equivalent) set. See:

http://www.secunia.com/advisories/9577/

for whatever info there is out right now.

--
Anders Thulin http://www.algonet.se/~ath

  #2  
Old August 21st 03, 05:43 PM
Anders Thulin
external usenet poster
 
Posts: n/a
Default Security advisory for Crafty 19.3



Robert Hyatt wrote:

I don't know why anyone would bother with setuid/setgid since crafty
won't do that internally anyway.


Looks like the person who found this (Steve Kemp) belongs to the Debian
community -- perhaps Debian installs games in some out-of-the-ordinary way?

--
Anders Thulin http://www.algonet.se/~ath

  #3  
Old August 21st 03, 06:03 PM
Ari Makela
external usenet poster
 
Posts: n/a
Default Security advisory for Crafty 19.3

In article , Anders Thulin wrote:


Robert Hyatt wrote:

I don't know why anyone would bother with setuid/setgid since crafty
won't do that internally anyway.


Looks like the person who found this (Steve Kemp) belongs to the
Debian community -- perhaps Debian installs games in some less than
usual way?


crafty is setgid on Debian:

$ ls -l /usr/games/*crafty* | awk '{print $1 " " $3 " " $4 " " $9}'
-rwxr-xr-x root root /usr/games/crafty
-rwxr-sr-x root games /usr/games/crafty.bin

--
Ari Makela http://arska.org/hauva/

"Deux fous gagnent toujours, mais trois fous, non!" - Alexander Alekhine

  #4  
Old August 21st 03, 09:38 PM
Ari Makela
external usenet poster
 
Posts: n/a
Default Security advisory for Crafty 19.3

In article , Robert Hyatt wrote:

I guess that could happen. However, there is no setgid() call in
crafty so even if it has the setgid permission set, it won't behave
as if it were running as the "game group" unless someone modifies the
source code. And if they do that, it would seem that _anything_ could
be done.


I suppose no non-trivial software can be packaged into a linux
distribution that conforms to FHS (Filesystem Hierarchy Standard)
without modifying the source.

And yes, Debian does modify the code of crafty. The diffs are available
at

URL: http://packages.debian.org/stable/games/crafty.html

--
Ari Makela http://arska.org/hauva/

"Deux fous gagnent toujours, mais trois fous, non!" - Alexander Alekhine

  #5  
Old August 21st 03, 09:45 PM
Robert Hyatt
external usenet poster
 
Posts: n/a
Default Security advisory for Crafty 19.3

Ari Makela wrote:
In article , Robert Hyatt wrote:


I guess that could happen. However, there is no setgid() call in
crafty so even if it has the setgid permission set, it won't behave
as if it were running as the "game group" unless someone modifies the
source code. And if they do that, it would seem that _anything_ could
be done.


I suppose no non-trivial software can be packaged into a linux
distribution that conforms to FHS (Filesystem Hierarchy Standard)
without modifying the source.


With a "shared installation" crafty can work just fine. It simply
disables learning, which probably makes sense for a shared installation
anyway. Then there is no need for any setgid stuff whatsoever...


And yes, Debian does modify the code of crafty. The diffs are available
at


URL: http://packages.debian.org/stable/games/crafty.html


--
Ari Makela http://arska.org/hauva/


"Deux fous gagnent toujours, mais trois fous, non!" - Alexander Alekhine



--
Robert Hyatt Computer and Information Sciences
University of Alabama at Birmingham
(205) 934-2213 115A Campbell Hall, UAB Station
(205) 934-5473 FAX Birmingham, AL 35294-1170
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 01:17 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2017 ChessBanter.
The comments are property of their posters.