/var/games/package must be 770
Hello developers,
Policy 12.11 state that highscore files must be put in
a directory with permission 770 root.games, and this is a
good thing because users must not be allowed to overwrite
the highscore file for security reason.
Unfortunately it seems that few games follows this policy.
Most use 775 root.games /var/games/<package> directory
with 775 root.games highscore files in it.
This is a minor security problem : if the highscore is always
created by root, /var/games/<package>/ can be 755 as well.
Else there is the risk the high score files became owned by a
normal user. Since the directory is 775 and not 770, this user
can overwrite the highscore file and create security problems.
As an exemple, on my machine running testing (some lines trimmed):
yellowpig% ls -l /var/games
drwxrwxr-x 2 root games 4096 sep 22 02:41 bombardier
drwxrwsr-x 3 root games 4096 fév 20 14:50 falconseye
drwxrwxr-x 2 root games 4096 sep 28 16:28 omega-rpg
drwxrwsr-x 2 root games 4096 jui 3 2001 powermanga
drwxrwsr-x 2 root games 4096 sep 29 23:20 xpat2
and worse
yellowpig% ls -l /var/games/bombardier /var/games/xpat2
/var/games/bombardier:
total 4
-rw-rw-r-- 1 bill games 360 nov 7 22:55 bdscore
/var/games/xpat2:
total 524
-rw-rw-r-- 1 bill games 531160 fév 27 00:26 xpat.log
yellowpig% ls -l /var/games/falconseye /var/games/falconseye/save
/var/games/falconseye:
drwxrwsr-x 2 root games 4096 fév 20 14:50 save
/var/games/falconseye/save:
total 44
-rw-rw---- 1 bill games 35773 fév 20 14:50 1001bill
-rw-rw---- 1 bill games 7736 fév 20 14:50 1001bill.gz
Reading the lintian reports,
<http://lintian.debian.org/reports/Tnon-standard-dir-perm.html>
the following games are probably affected:
abuse, bombardier, bsdgames, crossfire-server, falconseye, groundhog,
heroes-common, mirrormagic, moon-buggy, nethack, spellcast, trr19, xbl,
xkobo-scores, xtet42.
BTW lintian seems to not know about /var/games/<packages> being 770.
Cheers,
--
Bill. <ballombe@debian.org>
Reply to: