Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Sep 1997 13:55:28 +0200 (MET DST)
From:      Eivind Eklund <perhaps@yes.no>
To:        =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru>
Cc:        current@freebsd.org
Subject:   Re: games uid->gid does too much damage! Who ever got this idea and why?
Message-ID:  <199709021155.NAA20806@bitbox.follo.net>
In-Reply-To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?='s message of Tue, 2 Sep 1997 13:08:13 %2B0400 (MSD)
References:  <199709011843.UAA18450@bitbox.follo.net> <Pine.BSF.3.96.970902125719.716A-100000@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > It means that any user which run 'snake' first time can damage (overwrite)
> > > scores and log file. Similar thing for other games too.
> > 
> > We might want to make /var/games 0770 instead of 0775; this should
> > solve this problem.
> 
> Please please check what _each_ game really does. Please test _each_ game
> writing reading scores/stats properly. 0770 will break things too since
> some games assume public readable scores. 

OK, I'm going through and testing implications of this.  I'll check
where it might be necessary to set umasks, too.

> I have nothing about the idea in general, but I wonder, how ever you
> decide to commit some stuff which:
> 
> 1) Do setuid() stuff for games which not installed sguid.

This is from OpenBSD., I assumed their code was there for a
reason; and on thinking this through, I actually found a fairly good
reason for it to be there - this allow an administrator to move around
which games are hidden and not without compromising any security.  Is
there any good reason why they SHOULDN'T be there?

> 2) Broke all games which collect scores.
>
> It means that you commit completely untested thing, if you ever run
> some games after commit as I do, you'll see it. 

I tested that games could run and save/load score-files.  No, I didn't
pay notice to the UIDs saved in /var/games - sorry.  However, I
actually _did_ test.

Eivind.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709021155.NAA20806>