Re: /var/games/package must be 770

To: debian-devel@lists.debian.org
Cc: allomber@math.u-bordeaux.fr
Subject: Re: /var/games/package must be 770
From: Bill Allombert <allomber@math.u-bordeaux.fr>
Date: Thu, 28 Feb 2002 14:00:51 +0100
Message-id: <[🔎] 20020228140051.T12320@yellowpig>
Mail-followup-to: allomber@math.u-bordeaux.fr, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020227212230.GA28526@zewt.org>; from g_deb@zewt.org on Wed, Feb 27, 2002 at 04:22:30PM -0500
References: <[🔎] 20020227174742.C12320@yellowpig> <[🔎] 20020227212230.GA28526@zewt.org>

On Wed, Feb 27, 2002 at 04:22:30PM -0500, Glenn Maynard wrote:
> On Wed, Feb 27, 2002 at 05:47:42PM +0100, Bill Allombert wrote:
> > Policy 12.11 state that highscore files must be put in
> > a directory with permission 770 root.games, and this is a
> 
> Nope.  It says "Each game decides on its own security policy."

To be fair it say
---
Each game decides on its own security policy. 

Games which require protected, privileged access to high-score files,
savegames, etc., may be made set-group-id (mode 2755) and owned by root.games,
and use files and directories with appropriate permissions (770 root.games, for
example).
---

So, yes you are right. But you must use *appropriate* permissions.


> > This is a minor security problem :  if the highscore is always
> 
> It's not a security problem.  It's a risk that people might put in fake
> high scores.  (If you really want to call it "security", it's security
> within the scope of a game, which doesn't really deserve any more
> attention than any other normal bug, unlike real security problems.)

It is a security problem. A user can overwrite the highscore files to exploit a
buffer overflow in the game and wait for another user to play. A user can also
store large file in it to escape quota on /home dir, or to break the /var
partition, or to hide setuid binaries¹, etc...

> > drwxrwxr-x    2 root     games        4096 sep 22 02:41 bombardier
> > drwxrwsr-x    3 root     games        4096 fév 20 14:50 falconseye
> > drwxrwxr-x    2 root     games        4096 sep 28 16:28 omega-rpg
> > drwxrwsr-x    2 root     games        4096 jui  3  2001 powermanga
> > drwxrwsr-x    2 root     games        4096 sep 29 23:20 xpat2
> 
> All of these should be g+s, or the data files will be created with the
> user's primary group.  If usergroups are on, that'll prevent anyone else 
> from writing high scores.

Yes/no. You cannot overwrite the highscore, but you can remove it and recreate
it if you are setgid game. Also the user writing the file will be the owner of
the file, so he can overwrite it. But you are right, for most games it should
be g+s.

Regards,

-- 
Bill. <ballombe@debian.org>

¹Yes, I have been an university student... :-)

Reply to:

Follow-Ups:
- Re: /var/games/package must be 770
  - From: Glenn Maynard <g_deb@zewt.org>

References:
- /var/games/package must be 770
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>
- Re: /var/games/package must be 770
  - From: Glenn Maynard <g_deb@zewt.org>

Prev by Date: Re: feedback wanted alternative Debian installation system
Next by Date: Re: feedback wanted alternative Debian installation system
Previous by thread: Re: /var/games/package must be 770
Next by thread: Re: /var/games/package must be 770
Index(es):
- Date
- Thread