Subject: Re: Removing dm(1)
To: Curt Sampson <cjs@portal.ca>
From: matthew green <mrg@eterna.com.au>
List: netbsd-users
Date: 11/19/1997 17:06:08
   1. The binaries of the games are easily available, and can be
   downloaded and run by normal users.

   2. Therefore, on any system with Interenet access, dm will not
   fulfil its role of stopping people from playing games.

so what ?  i'm running a system in an academic environment, and
i say to my users `do not run games outside of these ours', and
i enforce that with dm.conf, and the get around my by downloading
their own copies, then i'll suspend their account.
   
   3. Since it's also dead easy to uuencode and e-mail binaries, on
   any system that exchanges usenet e-mail, dm will not fulfil its
   role of stopping people from playing games.

see above.
   
   4. dm is only useful on systems with multiple users; on a personal
   workstation with only one user, obviously the user can get around
   dm, since he set it up in the first place.

i dunno, i like peter seebach's comment.  if i set up dm.conf to
stop me playing tetris while i'm at work, and i try to run it, it
will stop me.  sure, i can go change dm.conf, or whatever, at this
point, but, as above `so what ?'
   
   So what do we gain by removing it?
   
   1. We need do less program validation, since stop running several
   executables suid. It saves us work.
   
   2. Not running programs suid is a good thing in general, as far as
   security goes. The fact that someone out there may have stopped
   another person from playing fish during certain hours is small
   comfort to those of us whose accounts have been open to being taken
   over by others for several years now. And yes, you think that with
   your changes it's secure now. But that's just what whoever created
   dm in the first place thought.


(as was pointed out to me by darren reed, having root own the
binaries isn't a solution).  so, we get rid of set user id games
programs and replace them with set group id games programs.  that
seems like the best of both worlds to me:  the games are not
writable by group games, yet the high scores files, etc, can be,
and you continue to make the binaries runable only by group games,
and then you're left with dm only being set group id.  now, if
someone breaks the games account, they can only fiddle with high
scores, etc., not the binaries themselves.