From owner-freebsd-current  Tue Sep  2 02:08:47 1997
Return-Path: <owner-freebsd-current>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id CAA26474
          for current-outgoing; Tue, 2 Sep 1997 02:08:47 -0700 (PDT)
Received: from nagual.pp.ru (ache@ache.relcom.ru [194.58.229.133])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id CAA26466
          for <current@FreeBSD.ORG>; Tue, 2 Sep 1997 02:08:41 -0700 (PDT)
Received: (from ache@localhost)
	by nagual.pp.ru (8.8.7/8.8.5) id NAA00764;
	Tue, 2 Sep 1997 13:08:16 +0400 (MSD)
Date: Tue, 2 Sep 1997 13:08:13 +0400 (MSD)
From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru>
To: Eivind Eklund <perhaps@yes.no>
cc: current@FreeBSD.ORG
Subject: Re: games uid->gid does too much damage! Who ever got this idea and why?
In-Reply-To: <199709011843.UAA18450@bitbox.follo.net>
Message-ID: <Pine.BSF.3.96.970902125719.716A-100000@nagual.pp.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 1 Sep 1997, Eivind Eklund wrote:

> > but rest of the games (which are sguid under HIDEGAME) is seriously
> > broken now too, consider following example from snake.c:
> > 
> > 	rawscores = open(_PATH_RAWSCORES, O_RDWR|O_CREAT, 0644);
> > 	logfile = fopen(_PATH_LOGFILE, "a");
> > 
> > 	/* revoke privs */
> > 	setegid(getgid());
> > 	setgid(getgid());
> > 
> > This files created after first run:
> > 
> > -rw-r--r--   ache   games   snakerawscores
> > -rw-rw-r--   ache   games   snake.log
> > 
> > It means that any user which run 'snake' first time can damage (overwrite)
> > scores and log file. Similar thing for other games too.
> 
> We might want to make /var/games 0770 instead of 0775; this should
> solve this problem.

Please please check what _each_ game really does. Please test _each_ game
writing reading scores/stats properly. 0770 will break things too since
some games assume public readable scores. 

> > I suggest to back out recent games uid->gid completely and remove revike
> > mess too.
> 
> I suggest you calm down and check whether things happen for a reason.
> This is to avoid security errors in games compromising other accounts.
> And it would be courteous to check with the person responsible before
> flaming in public; I'm not that hard to get hold of.

Well, backing out would be minimal cost. I have nothing about the idea in
general, but I wonder, how ever you decide to commit some stuff which:

1) Do setuid() stuff for games which not installed sguid.
2) Broke all games which collect scores.

It means that you commit completely untested thing, if you ever run
some games after commit as I do, you'll see it. 

-- 
Andrey A. Chernov
<ache@null.net>
http://www.nagual.pp.ru/~ache/