Re: the setgid games mess

[David Holland <dholland-pkgtech%netbsd.org@localhost>]

On Sat, Nov 28, 2009 at 06:44:08PM +0100, Joerg Sonnenberger wrote:
 > > Well, it's not unreasonable to suppose that some platform might appear
 > > where there's e.g. an existing games group called something other than
 > > "games". But perhaps not.
 > 
 > I am willing to burn that bridge when we hit it.

ok.

 > > > >  - GAMEMODE/GAMEDIRMODE/GAMEDATAMODE should not be defined in the
 > > > >    platform .mk files but in someplace common. They should not be in
 > > > >    mk/defaults/mk.conf either. Someone please tell me where the
 > > > >    right place is!
 > > > 
 > > > Why not in mk/defaults/mk.conf?
 > > 
 > > Because these aren't things meant to be set by users in mk.conf? Or is
 > > that not the standard for defaults/mk.conf?
 > 
 > I don't see why they shouldn't be. They are overridable ATM if
 > SETGIDNAME=no.

ok then.

 > > > >    - When UNPRIVILEGED=yes, GAMES_GROUP, GAMEMODE, GAMEDIRMODE, and
 > > > >      GAMEDATAMODE should be adjusted accordingly, to
 > > > >      UNPRIVILEGED_GROUP, 555, 755, and 644 respectively. This is at
 > > > >      least partly already in place.
 > > > 
 > > > I don't see the point in this.
 > > 
 > > It makes most things build, install, and work when unprivileged?
 > 
 > chmod 664 works for unprivileged too. Whether or not it creates a
 > problem like "do all users share one group" is the relevant question.
 > I'd be careful about making assumptions in this area though.

Well, yes, but one has to adjust GAMES_GROUP and GAMEMODE or install
won't go, so changing the rest to be tidy seems like a good thing.
Especially since mode 755/644 will work regardless, while 775/664
might create a security gap.

I suppose there's some chance that someone might want the game
installed setgid UNPRIVILEGED_GROUP.

Is unprivileged.mk set up so that settings adjusted there can be
overridden by mk.conf?

-- 
David A. Holland
dholland%netbsd.org@localhost