Re: /var/games/package must be 770
On Wed, Feb 27, 2002 at 05:47:42PM +0100, Bill Allombert wrote:
> Hello developers,
>
> Policy 12.11 state that highscore files must be put in
> a directory with permission 770 root.games, and this is a
> good thing because users must not be allowed to overwrite
> the highscore file for security reason.
>
> Unfortunately it seems that few games follows this policy.
> Most use 775 root.games /var/games/<package> directory
> with 775 root.games highscore files in it.
>
> This is a minor security problem : if the highscore is always
> created by root, /var/games/<package>/ can be 755 as well.
> Else there is the risk the high score files became owned by a
> normal user. Since the directory is 775 and not 770, this user
> can overwrite the highscore file and create security problems.
>
Sorry, I'm losing you here. If the dir is 775, then root and group
games can read-write the files within this and others may read these
files but certainly not overwrite them.
How do you see it a problem that normal users may _read_ high score files ?
[...]
--
Eric VAN BUGGENHAUT "Hay tampones y tampones..." (Eva Serrano)
Andago
\_|_/ Av. Santa Engracia, 54
\/ \/ E-28010 Madrid - tfno:+34(91)2041100
a n d a g o |-- http://www.andago.com
/\___/\ "Innovando en Internet"
/ | \ eric@andago.com
Reply to: