2009/3/27 Ludwig Nussel <ludwig.nussel@suse.de>:
Cristian Morales Vega wrote:
How is the games group supposed to be used? Tower Toppler want to set itself in the games group with setgid set so it can write on a global hiscore file also set at games group. It seems ok to me, but rpmlint complains about the setgid.
As the message hopefully tells you setuid/setgid applications need to be reviewed by the security team (if you intend to put this in Factory): http://en.opensuse.org/Packaging/Security_Policies
Yes, it says so. But isn't a very serious package, for sure not for Factory. Still, setgid to games group requires a security review??? Isn't the worse thing that could happen just that an attacker would be able to modify hiscore files? It is my understanding that: - Binaries should go to /usr/games and should be writable only by root. There are packages with binaries owned by games user and with user write permission, is that a bug? And looking into it, /etc/permissions* is specifying the games user!! - Data files should go to /usr/share/games/%{name} and should be writable only by root. - If there are files that need to be modified, them should go to /var/games/%{name}. The dir itself should be writable only by root, but the file should be writable also by games. Then there are two possibilities: - Ask the user to add himself to the games group. If so him will gain write access to the /var/games/%{name} contents, nothing more. - Set the binary group to games with setgid. This seems even more secure since the user will only gain write access to /var/games/%{name} contents *through the games*, not through any shell.
Should I ignore rpmlint or it is correct and users able to play games are supposed to be in the games group to start with? If my memory
No.
So, what is the purpose of the games group? If nobody is supposed to be in that group for practical prurposes it is the same if a file has user/group root or games. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org