> > Doom is actually one of two programs: xdoom or sdoom. I think there is
> > also a framebuffer version of xdoom. (That's the case in quake) sdoom
> > uses svgalib and requires that suid root is set. xdoom works w/o suid.
> > svgalib sucks anyway...
>
> I meant, "Why not delete the executable you would be removing
> suid from?" I meant sdoom here, as (hopefully) no one installs
> xdoom suid root anyway.
A small observation about this thread.
As of 2.0.x linux removed the setuid bit when you modify a binary. So even if
sdoom was installed setuid root. The moment the bliss adds its signature, or
moves the binary to /tmp, the setuid bit will be removed.
Also in linux/unix the virus will modify the inode change time, so detecting
the virus is trivial...
Jon.
-- Jon. <jon@gte.esi.us.es, http://www.esi.us.es/~jon>