Re: /var/games/package must be 770

To: debian-devel@lists.debian.org
Cc: allomber@math.u-bordeaux.fr
Subject: Re: /var/games/package must be 770
From: Eric Van Buggenhaut <eric@andago.com>
Date: Fri, 1 Mar 2002 18:56:05 +0100
Message-id: <[🔎] 20020301175604.GB1112@eric>
Mail-followup-to: debian-devel@lists.debian.org, allomber@math.u-bordeaux.fr
In-reply-to: <[🔎] 20020301150420.A12320@yellowpig>
References: <20020227174742.C12320@yellowpig> <[🔎] 20020301080616.GB31665@eric> <[🔎] 20020301150420.A12320@yellowpig>

On Fri, Mar 01, 2002 at 03:04:20PM +0100, Bill Allombert wrote:
> On Fri, Mar 01, 2002 at 09:06:16AM +0100, Eric Van Buggenhaut wrote:
> > On Wed, Feb 27, 2002 at 05:47:42PM +0100, Bill Allombert wrote:
> > > This is a minor security problem :  if the highscore is always
> > > created by root, /var/games/<package>/ can be 755 as well.
> > > Else there is the risk the high score files became owned by a
> > > normal user. Since the directory is 775 and not 770, this user
> > > can overwrite the highscore file and create security problems.
> > > 
> > 
> > Sorry, I'm losing you here. If the dir is 775, then root and group
> > games can read-write the files within this and others may read these
> > files but certainly not overwrite them.
> > 
> > How do you see it a problem that normal users may _read_ high score files ?
> 
> When you run a setgid binary you still own the files you create. When you own a file you 
> overwrite it *unless* it is in a directory you can not chdir in.
> 
> There is no way to allow a user to read a file he own but to disallow him to
> overwrite it. 
> 
> So either highscore files are created owned by root at the installation of the
> game and there is no reaon to have the directory writable by games, either they
> are created by the first user who play the game and then they should in a 770
> (or 774) directory.
> 


Here's my setup for crafty and I don't see any security flaw:

[eric@femto]$ ls -ld /var/lib/crafty/
drwxr-xr-x    3 root     root         1024 fév 28 12:21 /var/lib/crafty/
[eric@femto]$ ls -l /var/lib/crafty/
total 4490
-rw-rw-r--    1 root     games     4442112 fév 28 12:19 book.bin
-rw-rw-r--    1 root     games           1 mar  1 18:57 book.lrn
-rw-rw-r--    1 root     games      132528 fév 28 12:19 books.bin
-rw-rw-r--    1 root     games           8 fév 28 12:01 position.bin
drwxr-xr-x    2 root     games        1024 fév 28 12:21 TB
[eric@femto]$ echo 'test' > /var/lib/crafty/book.lrn 
[eric@femto]$ less /var/lib/crafty/book.lrn
test
[eric@femto]$ ls -l /var/lib/crafty/book.lrn 
-rw-rw-r--    1 root     games           5 mar  1 19:09 /var/lib/crafty/book.lrn
[eric@femto]$ rm -f /var/lib/crafty/book.lrn
[eric@femto]$ rm -f /var/lib/crafty/book.lrn
rm: cannot unlink `/var/lib/crafty/book.lrn': Permission denied

I can write to the opening books files, but I can't change their permission, their ownership, nor can I delete them.

Where does the problem reside, IYO ?

-- 
Eric VAN BUGGENHAUT     "Hay tampones y tampones..." (Eva Serrano)
			Andago
        \_|_/           Av. Santa Engracia, 54
       \/   \/          E-28010 Madrid - tfno:+34(91)2041100
a n d a g o  |--        http://www.andago.com
       /\___/\ 		"Innovando en Internet"
        / | \           eric@andago.com

Reply to:

References:
- Re: /var/games/package must be 770
  - From: Eric Van Buggenhaut <eric@andago.com>
- Re: /var/games/package must be 770
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>

Prev by Date: Re: php vulnerability
Next by Date: Re: Resigning my packages
Previous by thread: Re: /var/games/package must be 770
Next by thread: Re: Trying desperately to become a debian developer...
Index(es):
- Date
- Thread