Bug#1118: fortune is setuid games ?!

[Ian Jackson <ian@chiark.chu.cam.ac.uk>]

David H. Silber writes ("Bug#1118: fortune is setuid games ?!"):
> I was working on my fortune package, trying to get rid of its one-and-only
> (reported) bug.  The issue is that the fortune binary is suid games.  This
> is done so that only the fortune program can read the fortune databases.
> The complaint was that this would allow a user of fortune to read other
> files that they should not (under ordinary circumstances) have access to.
> I tried to do this, but was unsuccessful.  (The fortune program refuses to
> show text from a file not in the correct format.)

(a) Users may wish to make private fortune files.

(b) It is not good practice to rely on a file not being in an
appropriate format; perhaps a user will be able to control part of a
file so that it is in the right format.

(c) There is no point having the program be set-id: why not just make
the fortune files world-readable ?  It's not as if they're
confidential.

(d) In some circumstances it can be bad just to have the program open
a file for reading; the file might be a named pipe, or some such.

(e) If the program _really_ needs set-id it should be setgid games,
rather than setuid.  This prevents people who break a game and get
access to the game user/group from overwriting other games and
trojanning their users' accounts.

...
> On another related issue, I find that there does not seem to be a standard
> for permissions of games programs and associated files.  I spent some time
> looking under /usr/doc/dpkg, /usr/doc/debian-0.93 and http://www.debian.org/,
> but was unable to find anything addressing this topic.  Do we have a
> standard?  If so, where is it?

I don't think there is one.  I have some integration work to do on the
Guidelines, I'll try to add some stuff about it.

Ian.