Re: Standardizing various games packaging things across distros

To: Ludwig Nussel <ludwig.nussel@suse.de>
Cc: games@lists.freedesktop.org, Debian Devel Games <debian-devel-games@lists.debian.org>, Fedora Games <games@lists.fedoraproject.org>
Subject: Re: Standardizing various games packaging things across distros
From: Hans de Goede <hdegoede@redhat.com>
Date: Wed, 04 May 2011 11:03:19 +0200
Message-id: <[🔎] 4DC11657.2030404@redhat.com>
In-reply-to: <201105041039.35115.ludwig.nussel@suse.de>
References: <[🔎] 4DC10AA8.4090505@redhat.com> <201105041039.35115.ludwig.nussel@suse.de>

Hi,

On 05/04/2011 10:39 AM, Ludwig Nussel wrote:

Hans de Goede wrote:

I've made a list of points which I would like us to come to some
start of standard for below:
[... ACK]
4) Handling of sgid rights for shared/global highscore files

Many games support a global highscore table shared between different
users, this usually involves sgid games rights, combined with
a gid games writable score file somewhere under /var.

Having sgid binaries brings certain security issues with it, and
as we all know most games have not been written really robust
when it comes to dealing with unexpected input / error handling.

This leads to the following potential attack scenario:
1) attacker starts a sgid games game, subverts it
2) attacker writes invalid data crafted to subvert
2a) the same game, to the highscore file
2b) another game, to another highscore file
3) intended target starts the game with the malicious
highscore file
4) game does things the attacker wanted with the targets rights


Another attack vector are packages (e.g. %post scripts) that do
things with group games owned files or directories. There's
potential to escalate to root by playing symlink tricks leading to
e.g. a chmod on /etc/shadow or something like that.


Well there should simply be no %post scripts messing with these files,
and rpm itself is smart enough to not fall for symlink attacks. Also
notice that my proposed fix, disallows the user to create a symlink in
the first place, all he gets access to if he subverts the game is a
filehandle to the rw opened score file.

IMO the "global highscore" feature which actually is a "local
machine highscore" should simply not be enabled by default in distro
packages.


I disagree, why disable a long standing feature of many of these games,
esp. given that there have been very little security issues with this
even though it has been common practice for ages..

An ideal solution would be some kind of standardized highscore
protocol. So games could post their highscore to either a local
highscore daemon or some service on the internet. I guess that's
never going to happen though :-)


That would be cool, I agree :)

Regards,

Hans

Reply to:

References:
- Standardizing various games packaging things across distros
  - From: Hans de Goede <hdegoede@redhat.com>

Prev by Date: Re: Bug#598406: ITP: vavoom -- The most advanced Doom/Heretic/Hexen/Strife source port around!
Next by Date: Re: Standardizing various games packaging things across distros
Previous by thread: Standardizing various games packaging things across distros
Next by thread: Re: Standardizing various games packaging things across distros
Index(es):
- Date
- Thread