Home Explore Help
Sign In
bignose
/
debian_bsdgames
Watch 1
Star 0
Fork 0
Files Issues Pull Requests 0
Branch: feature/virtual-package-adventure
Branches Tags
debian_bsdga...
/
SECURITY

SECURITY 4.7 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. Security of bsd-games and bsd-games-non-free
    2. 

  2. ============================================
    3. 

  3. 

  4. Some games maintain system-wide score files or logs, and need
    5. 

  5. appropriate privileges to write to these files.  They can get these
    6. 

  6. privileges by being installed setgid games, or through the files being
    7. 

  7. world writable.  If they do not have these privileges, they will run,
    8. 

  8. but fail to update the score files.  Most of the games were written at
    9. 

  9. a time when security was not considered important; therefore, making
    10. 

  10. games setgid has in the past meant that users can get a shell with gid
    11. 

  11. games, and possibly also get access to the accounts of other games
    12. 

  12. players by corrupting the score files.  (This will also apply to many
    13. 

  13. more modern games that are badly written.)
    14. 

  14. 

  15. In version 2.2, security fixes from OpenBSD have been applied: most of
    16. 

  16. the games that have score files will open them on startup, and then
    17. 

  17. drop any setgid privileges completely (including the saved gid).  This
    18. 

  18. limits the effect of a cracked game to corruption of its score file.
    19. 

  19. It should be somewhat safer now to make games setgid games than in
    20. 

  20. versions 2.1 and earlier, but probably not completely safe; phantasia,
    21. 

  21. sail, rogue, hack and tetris do not currently handle their score files
    22. 

  22. in the above way, and so should be considered the most dangerous to
    23. 

  23. install setgid.  If you are auditing these games, phantasia, sail,
    24. 

  24. rogue, hack and tetris should be considered the most important to
    25. 

  25. audit.  In versions before 2.14, rogue had an exploitable buffer
    26. 

  26. overrun (see NetBSD Security Advisory 2002-021).
    27. 

  27. 

  28. An effect of this security policy is that in some cases the score
    29. 

  29. files need to be world-readable so that they can be opened for reading
    30. 

  30. after the game has dropped privileges, or by a score file reading
    31. 

  31. program that was never privileged.  In versions before 2.10, the
    32. 

  32. phantasia "characs" file (containing passwords for phantasia
    33. 

  33. characters) was mistakenly made world readable.
    34. 

  34. 

  35. You should, of course, only install the games setgid if this is in
    36. 

  36. line with system security policy.  Games should not be installed
    37. 

  37. setuid, since if a setuid game is cracked this allows games to be
    38. 

  38. replaced with trojans.  Games should not be installed setgid to a
    39. 

  39. system group such as "root" or "daemon".  In some environments, an
    40. 

  40. acceptable alternative may be not to give the games any special
    41. 

  41. privileges, but to put trusted users in the games group.
    42. 

  42. 

  43. An option is to use the "dungeon master" dm to regulate games playing.
    44. 

  44. I believe this is safe; games that do not need to run setgid drop the
    45. 

  45. setgid privileges they get from dm on startup.  If dm is setgid, but
    46. 

  46. the games that access score files are not, then they will keep their
    47. 

  47. setgid privileges from dm; note that in this case it does not make
    48. 

  48. sense for dm to be setgid to some gid other than the one (normally
    49. 

  49. "games") with write access to the score files.
    50. 

  50. 

  51. This package does not yet support security hardening by giving each
    52. 

  52. setgid game its own gid, but in some environments you may wish to do
    53. 

  53. this.
    54. 

  54. 

  55. ***********************************************************************
    56. 

  56. *                                                                     *
    57. 

  57. * DO NOT INSTALL ANY GAMES SETUID, ONLY SETGID.                       *
    58. 

  58. *                                                                     *
    59. 

  59. * INSTALLING GAMES SETGID GAMES MIGHT ENABLE TO GET SHELLS WITH GID   *
    60. 

  60. * GAMES.                                                              *
    61. 

  61. *                                                                     *
    62. 

  62. * WHERE GAMES READ A SCORE FILE, IF A USER CAN CORRUPT THIS FILE IT   *
    63. 

  63. * MIGHT IN SOME CASES MEAN THEY CAN GET ACCESS TO THE ACCOUNTS OF     *
    64. 

  64. * OTHER USERS PLAYING THAT GAME.                                      *
    65. 

  65. *                                                                     *
    66. 

  66. * IF IN DOUBT, CHOOSE THE DEFAULT OPTIONS FOR PERMISSIONS AND DO      *
    67. 

  67. * WITHOUT SCOREFILES.                                                 *
    68. 

  68. *                                                                     *
    69. 

  69. * THESE GAMES COME WITH NO WARRANTY.                                  *
    70. 

  70. *                                                                     *
    71. 

  71. ***********************************************************************
    72. 

  72. 

  73. If you are compiling these games on an operating system other than
    74. 

  74. Linux, be warned that they rely for their security on
    75. 

  75. "setregid(getgid(), getgid())" dropping all setgid privileges
    76. 

  76. permanently, _including the saved gid_.  On some operating systems
    77. 

  77. this may fail to drop the saved gid (and indeed such operating systems
    78. 

  78. may provide no way for a process not running as root to revoke
    79. 

  79. privileges permanently); in such a case, bugs in a game may provide
    80. 

  80. access to the games group rather than merely to to that game's score
    81. 

  81. file.
    82. 

  82. 

  83. Joseph S. Myers
    84. 

  84. jsm@polyomino.org.uk
    85. 

  85. 

  86. 

  87. 
    88. 

  88. Local Variables:
    89. 

  89. mode: text
    90. 

  90. End:
    91. 

  91.