[opensuse-buildservice] Want to package tuxtype with setgid bit for shared data files
Hello, I maintain tuxmath and tuxtype (upstream and also as packager in my home project - dbruce), and have been working on making them work in closer accordance with proper unix practices. Both games have a use for modifiable files that are shared by all users - a high score table in tuxmath, and custom word list files in tuxtype. I have been told by a knowledgable person that the shared variable data should go in /var/games/tuxtype and that this directory should be created setgid and belong to the games group (i.e. "%attr(2755, root, games)"). This would allow users who belong to the "games" group to modify these data. Other users would only be able to read the data. The openSUSE docs say I need to get specific permission for using setgid (at least if the package is ever going into official repositories), and that the source needs to drop the setgid privileges as soon as possible to minimize any security exposure (http://en.opensuse.org/Packaging/Games). The guidelines give an example of how to do this for a single high score file, which is fine. However, tuxtype has an in-game word list editor to support the creation of custom word lists so teachers don't have to edit text files with a separate editor. I don't see how I can "drop" setgid on program setup and still be able to let users save new word list files in the shared location. What's the proper unix way to set this up without creating security problems? Thanks for any help, David Bruce -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
[not quite the right list, anyways...] David Bruce wrote:
Both games have a use for modifiable files that are shared by all users - a high score table in tuxmath, and custom word list files in tuxtype.
I have been told by a knowledgable person that the shared variable data should go in /var/games/tuxtype and that this directory should be created setgid and belong to the games group (i.e. "%attr(2755, root, games)"). This would allow users who belong to the "games" group to modify these data. Other users would only be able to read the data.
Users are not supposed to be in the games group. It's only used by setgid binaries. However, we would like to get rid of them as well. And now that you remind me I should probably start breaking Factory¹ :-)
However, tuxtype has an in-game word list editor to support the creation of custom word lists so teachers don't have to edit text files with a separate editor. I don't see how I can "drop" setgid on program setup and still be able to let users save new word list files in the shared location.
What's the proper unix way to set this up without creating security problems?
Allowing users full access to files inevitably leads to security issues if you are not prepared for corrupted files. Therefore the better way would be to have a system daemon that runs as dedicated user to manage the shared files. The daemon could be controlled via an interface that allows to e.g. add, remove or query records. Doing that via daemon also solves locking problems you get if you have concurrent access. The technique in vogue today for such local daemons is DBus and PolicyKit. [1] http://en.opensuse.org/Games/Fixes -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (2)
-
David Bruce -
Ludwig Nussel