Quake 2 security risk

Quake 2 is vulnerable to an attack posted on rootshell.com

Zoid says in his .plan:

rootshell.com has posted an exploit for Quake2 under Linux. This exploit was talked about on the buqtraq list a day or two ago.

I've known about this one due to loading shared libs. I forgot to specifically mention in the readme that Quake2 should not be setuid. If you want to use the ref_soft and ref_gl renderers, you should run Quake2 as root. Don't make the binary setuid. You can only run both those renderers at the console only, so being root isn't that much of an issue. The X11 render doesn't need any root permissions (if /dev/dsp is writable by others for sound).

The dedicated server mode (+set dedicated 1) doesn't need to be root either.

I will look at solutions to this problem in the next release. Problems such as root requirements for games has been sort of a sore spot in Linux for a number of years now. This is one of the goals that GGI is targetting to fix. I plan on supporting a ref_ggi in the near future.