mirror of
https://salsa.debian.org/games-team/bsdgames
synced 2024-12-04 14:46:22 -05:00
91 lines
4.7 KiB
Plaintext
91 lines
4.7 KiB
Plaintext
|
Security of bsd-games and bsd-games-non-free
|
|||
|
============================================
|
|||
|
|
|||
|
Some games maintain system-wide score files or logs, and need
|
|||
|
appropriate privileges to write to these files. They can get these
|
|||
|
privileges by being installed setgid games, or through the files being
|
|||
|
world writable. If they do not have these privileges, they will run,
|
|||
|
but fail to update the score files. Most of the games were written at
|
|||
|
a time when security was not considered important; therefore, making
|
|||
|
games setgid has in the past meant that users can get a shell with gid
|
|||
|
games, and possibly also get access to the accounts of other games
|
|||
|
players by corrupting the score files. (This will also apply to many
|
|||
|
more modern games that are badly written.)
|
|||
|
|
|||
|
In version 2.2, security fixes from OpenBSD have been applied: most of
|
|||
|
the games that have score files will open them on startup, and then
|
|||
|
drop any setgid privileges completely (including the saved gid). This
|
|||
|
limits the effect of a cracked game to corruption of its score file.
|
|||
|
It should be somewhat safer now to make games setgid games than in
|
|||
|
versions 2.1 and earlier, but probably not completely safe; phantasia,
|
|||
|
sail, rogue, hack and tetris do not currently handle their score files
|
|||
|
in the above way, and so should be considered the most dangerous to
|
|||
|
install setgid. If you are auditing these games, phantasia, sail,
|
|||
|
rogue, hack and tetris should be considered the most important to
|
|||
|
audit. In versions before 2.14, rogue had an exploitable buffer
|
|||
|
overrun (see NetBSD Security Advisory 2002-021).
|
|||
|
|
|||
|
An effect of this security policy is that in some cases the score
|
|||
|
files need to be world-readable so that they can be opened for reading
|
|||
|
after the game has dropped privileges, or by a score file reading
|
|||
|
program that was never privileged. In versions before 2.10, the
|
|||
|
phantasia "characs" file (containing passwords for phantasia
|
|||
|
characters) was mistakenly made world readable.
|
|||
|
|
|||
|
You should, of course, only install the games setgid if this is in
|
|||
|
line with system security policy. Games should not be installed
|
|||
|
setuid, since if a setuid game is cracked this allows games to be
|
|||
|
replaced with trojans. Games should not be installed setgid to a
|
|||
|
system group such as "root" or "daemon". In some environments, an
|
|||
|
acceptable alternative may be not to give the games any special
|
|||
|
privileges, but to put trusted users in the games group.
|
|||
|
|
|||
|
An option is to use the "dungeon master" dm to regulate games playing.
|
|||
|
I believe this is safe; games that do not need to run setgid drop the
|
|||
|
setgid privileges they get from dm on startup. If dm is setgid, but
|
|||
|
the games that access score files are not, then they will keep their
|
|||
|
setgid privileges from dm; note that in this case it does not make
|
|||
|
sense for dm to be setgid to some gid other than the one (normally
|
|||
|
"games") with write access to the score files.
|
|||
|
|
|||
|
This package does not yet support security hardening by giving each
|
|||
|
setgid game its own gid, but in some environments you may wish to do
|
|||
|
this.
|
|||
|
|
|||
|
***********************************************************************
|
|||
|
* *
|
|||
|
* DO NOT INSTALL ANY GAMES SETUID, ONLY SETGID. *
|
|||
|
* *
|
|||
|
* INSTALLING GAMES SETGID GAMES MIGHT ENABLE TO GET SHELLS WITH GID *
|
|||
|
* GAMES. *
|
|||
|
* *
|
|||
|
* WHERE GAMES READ A SCORE FILE, IF A USER CAN CORRUPT THIS FILE IT *
|
|||
|
* MIGHT IN SOME CASES MEAN THEY CAN GET ACCESS TO THE ACCOUNTS OF *
|
|||
|
* OTHER USERS PLAYING THAT GAME. *
|
|||
|
* *
|
|||
|
* IF IN DOUBT, CHOOSE THE DEFAULT OPTIONS FOR PERMISSIONS AND DO *
|
|||
|
* WITHOUT SCOREFILES. *
|
|||
|
* *
|
|||
|
* THESE GAMES COME WITH NO WARRANTY. *
|
|||
|
* *
|
|||
|
***********************************************************************
|
|||
|
|
|||
|
If you are compiling these games on an operating system other than
|
|||
|
Linux, be warned that they rely for their security on
|
|||
|
"setregid(getgid(), getgid())" dropping all setgid privileges
|
|||
|
permanently, _including the saved gid_. On some operating systems
|
|||
|
this may fail to drop the saved gid (and indeed such operating systems
|
|||
|
may provide no way for a process not running as root to revoke
|
|||
|
privileges permanently); in such a case, bugs in a game may provide
|
|||
|
access to the games group rather than merely to to that game's score
|
|||
|
file.
|
|||
|
|
|||
|
Joseph S. Myers
|
|||
|
jsm@polyomino.org.uk
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Local Variables:
|
|||
|
mode: text
|
|||
|
End:
|