Hi, On 05/05/2011 10:46 AM, Richard Hartmann wrote:
On Thu, May 5, 2011 at 10:32, Hans de Goede<hdegoede@redhat.com> wrote:This approach is just as safe as yours, once the rights have been unrevokably dropped, nothing bad can be done any more other then what can be done through the fd.Not quite true as with Bas' approach there is exactly one binary that needs to be secured whereas with your approach every single game binary needs to be patched and audited.
With Bas' approach every game binary (or rather the sources it is build from) still needs to be patches to use the passed in fd, rather then trying to open the highscore file itself. As for auditing: 1) The highscore parsing code should still be audited in either case, since someone subverting the game will still be able to write malicious content to it in either case 2) The rest of the code will be a simple standardizes snippet directly at the start of main, and once control is passed this snippet all elevated rights are permanently gone, see here for the snippet Fedora is using: http://fedoraproject.org/wiki/SIGs/Games/Packaging Regards, Hans