Security of bsd-games and bsd-games-non-free ============================================ Some games maintain system-wide score files or logs, and need appropriate privileges to write to these files. They can get these privileges by being installed setgid games, or through the files being world writable. If they do not have these privileges, they will run, but fail to update the score files. Most of the games were written at a time when security was not considered important; therefore, making games setgid has in the past meant that users can get a shell with gid games, and possibly also get access to the accounts of other games players by corrupting the score files. (This will also apply to many more modern games that are badly written.) In version 2.2, security fixes from OpenBSD have been applied: most of the games that have score files will open them on startup, and then drop any setgid privileges completely (including the saved gid). This limits the effect of a cracked game to corruption of its score file. It should be somewhat safer now to make games setgid games than in versions 2.1 and earlier, but probably not completely safe; phantasia, sail, rogue, hack and tetris do not currently handle their score files in the above way, and so should be considered the most dangerous to install setgid. If you are auditing these games, phantasia, sail, rogue, hack and tetris should be considered the most important to audit. In versions before 2.14, rogue had an exploitable buffer overrun (see NetBSD Security Advisory 2002-021). An effect of this security policy is that in some cases the score files need to be world-readable so that they can be opened for reading after the game has dropped privileges, or by a score file reading program that was never privileged. In versions before 2.10, the phantasia "characs" file (containing passwords for phantasia characters) was mistakenly made world readable. You should, of course, only install the games setgid if this is in line with system security policy. Games should not be installed setuid, since if a setuid game is cracked this allows games to be replaced with trojans. Games should not be installed setgid to a system group such as "root" or "daemon". In some environments, an acceptable alternative may be not to give the games any special privileges, but to put trusted users in the games group. An option is to use the "dungeon master" dm to regulate games playing. I believe this is safe; games that do not need to run setgid drop the setgid privileges they get from dm on startup. If dm is setgid, but the games that access score files are not, then they will keep their setgid privileges from dm; note that in this case it does not make sense for dm to be setgid to some gid other than the one (normally "games") with write access to the score files. This package does not yet support security hardening by giving each setgid game its own gid, but in some environments you may wish to do this. *********************************************************************** * * * DO NOT INSTALL ANY GAMES SETUID, ONLY SETGID. * * * * INSTALLING GAMES SETGID GAMES MIGHT ENABLE TO GET SHELLS WITH GID * * GAMES. * * * * WHERE GAMES READ A SCORE FILE, IF A USER CAN CORRUPT THIS FILE IT * * MIGHT IN SOME CASES MEAN THEY CAN GET ACCESS TO THE ACCOUNTS OF * * OTHER USERS PLAYING THAT GAME. * * * * IF IN DOUBT, CHOOSE THE DEFAULT OPTIONS FOR PERMISSIONS AND DO * * WITHOUT SCOREFILES. * * * * THESE GAMES COME WITH NO WARRANTY. * * * *********************************************************************** If you are compiling these games on an operating system other than Linux, be warned that they rely for their security on "setregid(getgid(), getgid())" dropping all setgid privileges permanently, _including the saved gid_. On some operating systems this may fail to drop the saved gid (and indeed such operating systems may provide no way for a process not running as root to revoke privileges permanently); in such a case, bugs in a game may provide access to the games group rather than merely to to that game's score file. Joseph S. Myers jsm@polyomino.org.uk Local Variables: mode: text End: