Re: [LCFC] templates://nethack/{nethack-common.templates}
Esko Arajärvi wrote:
>> "Leaves it world-writeable" would imply that the a+w bit is set. It
>> doesn't do that, does it? It just lets anybody run something that
>> can (in the course of its duties) write to that directory. Are
>> there known recover exploits that let users modify save files, or is
>> this a "hypothetically possible"?
>
> The chapter I summarised reads:
>
> Since recover must be able to read and delete
> files from the playground and create files in
> the save directory, it has interesting interac‐
> tions with game security. Giving ordinary
> players access to recover through setuid or
> setgid is tantamount to leaving the playground
> world-writable, with respect to both cheating
> and messing up other players. For a single-
> user system, this of course does not change
> anything, so some of the microcomputer ports
> install recover by default.
>
> This seems to imply that this is a known exploit.
That man page is dated 1993. There's this:
"http://lkml.indiana.edu/hypermail/linux/kernel/0211.0/0849.html";
which expresses the concern that _if_ somebody could use a
(hypothetical) exploit in some setgid-games binary, they would be
able to overwrite /usr/lib/games/nethack/recover (and get that code
run at boot time). That was because at the time, recover itself was
installed group-writable (which it isn't now); and even then, the
initscript in fact had safety mechanisms that would have prevented
it running the malicious code with full root privileges.
There are a couple of other security fixes in the changelog (such as
#147166), but as far as I can see the most that's merited is a
warning that it _may_ still have security flaws, not that it's a
known security hole.
> But my suggestion could be
> improved anyway. The "world-writable" should be explained more or probably
> changed. Any ideas?
Going back to the current version of the template:
_Description: Use setgid bit with NetHack's recover utility?
The "recover" program is installed as part of the nethack-common package
and exists to help the administrator recover broken save files, etc.
.
Recover is traditionally installed with the "setgid" bit (group "games").
However, this package runs it automatically, as root, during the system
boot. As a consequence, allowing the utility to use the "games" group
privileges is only useful to let players recover their save files,
should NetHack crash or their connection drop mid-game.
.
If you do not choose this option, recovers after a crash or a connection
drop can only be run as root or by a user who is member of the "games"
group.
After a great deal of picking at it I've ended up with this:
_Description: Use setgid bit with NetHack's recover utility?
The "recover" program in the package nethack-common is traditionally
installed with the "setgid" bit set, so that all users can use it to
recover their own save files after a crash (with "games" group
privileges). This is a potential source of security problems.
.
This package includes a script that runs during system boot, invoking
recover on any broken save files it finds. This makes it less likely
that users will need to run it themselves, so the default is to install
recover without special permission bits.
.
If you choose this option, normal users will be able to run "recover".
Is this an improvement?
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: