[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [LCFC] templates://nethack/{nethack-common.templates}

Esko Arajärvi wrote:
>> "Leaves it world-writeable" would imply that the a+w bit is set.  It
>> doesn't do that, does it?  It just lets anybody run something that
>> can (in the course of its duties) write to that directory.  Are
>> there known recover exploits that let users modify save files, or is
>> this a "hypothetically possible"?
> The chapter I summarised reads:
>        Since  recover  must be able to read and delete
>        files from the playground and create  files  in
>        the save directory, it has interesting interac‐
>        tions  with  game  security.   Giving  ordinary
>        players  access  to  recover  through setuid or
>        setgid is tantamount to leaving the  playground
>        world-writable,  with  respect to both cheating
>        and messing up other players.   For  a  single-
>        user  system,  this  of  course does not change
>        anything, so some of  the  microcomputer  ports
>        install recover by default.
> This seems to imply that this is a known exploit.

That man page is dated 1993.  There's this:
which expresses the concern that _if_ somebody could use a
(hypothetical) exploit in some setgid-games binary, they would be
able to overwrite /usr/lib/games/nethack/recover (and get that code
run at boot time).  That was because at the time, recover itself was
installed group-writable (which it isn't now); and even then, the 
initscript in fact had safety mechanisms that would have prevented
it running the malicious code with full root privileges.

There are a couple of other security fixes in the changelog (such as
#147166), but as far as I can see the most that's merited is a
warning that it _may_ still have security flaws, not that it's a
known security hole.

> But my suggestion could be 
> improved anyway. The "world-writable" should be explained more or probably 
> changed. Any ideas?

Going back to the current version of the template:

 _Description: Use setgid bit with NetHack's recover utility?
  The "recover" program is installed as part of the nethack-common package
  and exists to help the administrator recover broken save files, etc.
  Recover is traditionally installed with the "setgid" bit (group "games").
  However, this package runs it automatically, as root, during the system
  boot. As a consequence, allowing the utility to use the "games" group
  privileges is only useful to let players recover their save files,
  should NetHack crash or their connection drop mid-game. 
  If you do not choose this option, recovers after a crash or a connection
  drop can only be run as root or by a user who is member of the "games"

After a great deal of picking at it I've ended up with this:

 _Description: Use setgid bit with NetHack's recover utility?
  The "recover" program in the package nethack-common is traditionally
  installed with the "setgid" bit set, so that all users can use it to
  recover their own save files after a crash (with "games" group
  privileges). This is a potential source of security problems.
  This package includes a script that runs during system boot, invoking
  recover on any broken save files it finds. This makes it less likely
  that users will need to run it themselves, so the default is to install
  recover without special permission bits.
  If you choose this option, normal users will be able to run "recover".

Is this an improvement?
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to: