In message <Pine.NEB.3.96.971118135544.22439A-100000@cynic.portal.ca>, Curt Sam
pson writes:
>1. The binaries of the games are easily available, and can be
>downloaded and run by normal users.

Yes, but those downloaded binaries will not be able to alter high scores.

>2. Therefore, on any system with Interenet access, dm will not
>fulfil its role of stopping people from playing games.

I thought it's role was to discourage casual excesses; any user
who can download files can also 'yes > /dev/null &'.  However,
dm is a good way of hinting at policy.

>3. Since it's also dead easy to uuencode and e-mail binaries, on
>any system that exchanges usenet e-mail, dm will not fulfil its
>role of stopping people from playing games.

It will stop the very casual user, and it will provide a strong hint
to policy.  :)

>4. dm is only useful on systems with multiple users; on a personal
>workstation with only one user, obviously the user can get around
>dm, since he set it up in the first place.

This is arguably true, although, you might as well claim that "non
root accounts are only useful on systems with multiple users".  In
practice, I rather like the "security" of the game-private files.

>This doesn't leave a whole lot of machines out there on which dm
>is useful, does it?

Yes, it does.  We use it on my ISP (admittedly, on our BSDI machine,
not the NetBSD one), and we are happy with it.  It leaves us with a
way to enforce draconian and stupid policies at a whim.  :)

>1. We need do less program validation, since stop running several
>executables suid. It saves us work.

This could be easily addressed by making dm smarter about setuid.

>2. Not running programs suid is a good thing in general, as far as
>security goes. The fact that someone out there may have stopped
>another person from playing fish during certain hours is small
>comfort to those of us whose accounts have been open to being taken
>over by others for several years now. And yes, you think that with
>your changes it's secure now. But that's just what whoever created
>dm in the first place thought.

I think the obvious change to dm *does* make it secure, or at least,
as secure as it can be if you trust the game writers, which we pretty
much have to.

I guess, I like dm.  It's a neat feature, and it's not one I'd be
happy to lose.  Think of a school with lots of kids trying to use
the computers - dm is *exactly* what you want to use to keep the
kids out of trouble.  :)

(Yes, I'd give small children Unix access.  I think it's perfectly
reasonable.)

-s