Date: Tue, 2 Sep 1997 13:08:13 +0400 (MSD) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru> To: Eivind Eklund <perhaps@yes.no> Cc: current@FreeBSD.ORG Subject: Re: games uid->gid does too much damage! Who ever got this idea and why? Message-ID: <Pine.BSF.3.96.970902125719.716A-100000@nagual.pp.ru> In-Reply-To: <199709011843.UAA18450@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 1 Sep 1997, Eivind Eklund wrote: > > but rest of the games (which are sguid under HIDEGAME) is seriously > > broken now too, consider following example from snake.c: > > > > rawscores = open(_PATH_RAWSCORES, O_RDWR|O_CREAT, 0644); > > logfile = fopen(_PATH_LOGFILE, "a"); > > > > /* revoke privs */ > > setegid(getgid()); > > setgid(getgid()); > > > > This files created after first run: > > > > -rw-r--r-- ache games snakerawscores > > -rw-rw-r-- ache games snake.log > > > > It means that any user which run 'snake' first time can damage (overwrite) > > scores and log file. Similar thing for other games too. > > We might want to make /var/games 0770 instead of 0775; this should > solve this problem. Please please check what _each_ game really does. Please test _each_ game writing reading scores/stats properly. 0770 will break things too since some games assume public readable scores. > > I suggest to back out recent games uid->gid completely and remove revike > > mess too. > > I suggest you calm down and check whether things happen for a reason. > This is to avoid security errors in games compromising other accounts. > And it would be courteous to check with the person responsible before > flaming in public; I'm not that hard to get hold of. Well, backing out would be minimal cost. I have nothing about the idea in general, but I wonder, how ever you decide to commit some stuff which: 1) Do setuid() stuff for games which not installed sguid. 2) Broke all games which collect scores. It means that you commit completely untested thing, if you ever run some games after commit as I do, you'll see it. -- Andrey A. Chernov <ache@null.net> http://www.nagual.pp.ru/~ache/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970902125719.716A-100000>