mirror of
https://salsa.debian.org/games-team/bsdgames
synced 2024-12-04 14:46:22 -05:00
91 lines
4.7 KiB
Plaintext
91 lines
4.7 KiB
Plaintext
Security of bsd-games and bsd-games-non-free
|
||
============================================
|
||
|
||
Some games maintain system-wide score files or logs, and need
|
||
appropriate privileges to write to these files. They can get these
|
||
privileges by being installed setgid games, or through the files being
|
||
world writable. If they do not have these privileges, they will run,
|
||
but fail to update the score files. Most of the games were written at
|
||
a time when security was not considered important; therefore, making
|
||
games setgid has in the past meant that users can get a shell with gid
|
||
games, and possibly also get access to the accounts of other games
|
||
players by corrupting the score files. (This will also apply to many
|
||
more modern games that are badly written.)
|
||
|
||
In version 2.2, security fixes from OpenBSD have been applied: most of
|
||
the games that have score files will open them on startup, and then
|
||
drop any setgid privileges completely (including the saved gid). This
|
||
limits the effect of a cracked game to corruption of its score file.
|
||
It should be somewhat safer now to make games setgid games than in
|
||
versions 2.1 and earlier, but probably not completely safe; phantasia,
|
||
sail, rogue, hack and tetris do not currently handle their score files
|
||
in the above way, and so should be considered the most dangerous to
|
||
install setgid. If you are auditing these games, phantasia, sail,
|
||
rogue, hack and tetris should be considered the most important to
|
||
audit. In versions before 2.14, rogue had an exploitable buffer
|
||
overrun (see NetBSD Security Advisory 2002-021).
|
||
|
||
An effect of this security policy is that in some cases the score
|
||
files need to be world-readable so that they can be opened for reading
|
||
after the game has dropped privileges, or by a score file reading
|
||
program that was never privileged. In versions before 2.10, the
|
||
phantasia "characs" file (containing passwords for phantasia
|
||
characters) was mistakenly made world readable.
|
||
|
||
You should, of course, only install the games setgid if this is in
|
||
line with system security policy. Games should not be installed
|
||
setuid, since if a setuid game is cracked this allows games to be
|
||
replaced with trojans. Games should not be installed setgid to a
|
||
system group such as "root" or "daemon". In some environments, an
|
||
acceptable alternative may be not to give the games any special
|
||
privileges, but to put trusted users in the games group.
|
||
|
||
An option is to use the "dungeon master" dm to regulate games playing.
|
||
I believe this is safe; games that do not need to run setgid drop the
|
||
setgid privileges they get from dm on startup. If dm is setgid, but
|
||
the games that access score files are not, then they will keep their
|
||
setgid privileges from dm; note that in this case it does not make
|
||
sense for dm to be setgid to some gid other than the one (normally
|
||
"games") with write access to the score files.
|
||
|
||
This package does not yet support security hardening by giving each
|
||
setgid game its own gid, but in some environments you may wish to do
|
||
this.
|
||
|
||
***********************************************************************
|
||
* *
|
||
* DO NOT INSTALL ANY GAMES SETUID, ONLY SETGID. *
|
||
* *
|
||
* INSTALLING GAMES SETGID GAMES MIGHT ENABLE TO GET SHELLS WITH GID *
|
||
* GAMES. *
|
||
* *
|
||
* WHERE GAMES READ A SCORE FILE, IF A USER CAN CORRUPT THIS FILE IT *
|
||
* MIGHT IN SOME CASES MEAN THEY CAN GET ACCESS TO THE ACCOUNTS OF *
|
||
* OTHER USERS PLAYING THAT GAME. *
|
||
* *
|
||
* IF IN DOUBT, CHOOSE THE DEFAULT OPTIONS FOR PERMISSIONS AND DO *
|
||
* WITHOUT SCOREFILES. *
|
||
* *
|
||
* THESE GAMES COME WITH NO WARRANTY. *
|
||
* *
|
||
***********************************************************************
|
||
|
||
If you are compiling these games on an operating system other than
|
||
Linux, be warned that they rely for their security on
|
||
"setregid(getgid(), getgid())" dropping all setgid privileges
|
||
permanently, _including the saved gid_. On some operating systems
|
||
this may fail to drop the saved gid (and indeed such operating systems
|
||
may provide no way for a process not running as root to revoke
|
||
privileges permanently); in such a case, bugs in a game may provide
|
||
access to the games group rather than merely to to that game's score
|
||
file.
|
||
|
||
Joseph S. Myers
|
||
jsm@polyomino.org.uk
|
||
|
||
|
||
|
||
Local Variables:
|
||
mode: text
|
||
End:
|