[opensuse-factory] /var/games/
Given that bnc#103186 and bnc#429882 are access restricted. Could somebody explain this to me? # games:games 775 safe as long as we don't change files below it (#103186) # still people do it (#429882) so root:root 755 is the consequence. /var/games/ root:root 0755 I am thinking about rocksndiamonds. It still installs a directory /var/games/rocksndiamonds/. Don't look too much into the package. I don't think SR#149159 makes sense. But could someone summarize the situation, taking into account that my understanding about file permissions is very basic? Does /var/games/ have any real use if owned by root? What are the problems explained in bnc#103186 and bnc#429882? Thanks -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jan 23, 2013 at 10:16:42PM +0000, Cristian Morales Vega wrote:
Given that bnc#103186 and bnc#429882 are access restricted. Could somebody explain this to me?
# games:games 775 safe as long as we don't change files below it (#103186) # still people do it (#429882) so root:root 755 is the consequence. /var/games/ root:root 0755
I am thinking about rocksndiamonds. It still installs a directory /var/games/rocksndiamonds/. Don't look too much into the package. I don't think SR#149159 makes sense. But could someone summarize the situation, taking into account that my understanding about file permissions is very basic?
Previously, /var/games was owned by "games" and binaries were setuid or setgid games permissions to be able to read and write highscore files in this directory. This had occasionaly security issues, up to root escalations. So we basically stopped having setuid/setgid games permissions. We left the possibility in for the local administrator to override this via /etc/permissions.local, thats why those calls are still there.
Does /var/games/ have any real use if owned by root?
Not much today, no.
What are the problems explained in bnc#103186 and bnc#429882?
I made both bugs public for your reading pleasure. They basically talk about games could become root when being used, mostly due to RPM following symlinks. Regarding SR#149159 %run_permissions is obsolete and can be replaced by %set_permissions (or fully get rid off). So this specific %run_permissions could be replaced by %set_permissions %{_bindir}/rocksndiamonds instead. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Cristian Morales Vega
-
Marcus Meissner