Subject: /usr/games - group writable or not?
To: None <tech-security@NetBSD.ORG>
From: Bruce Barnett <barnett@grymoire.crd.ge.com>
List: tech-security
Date: 11/19/1997 09:34:00
>i *really* don't understand the
>concept of a `bin' account or group, when it comes to security issues.

It allows someone to have privileges of adding/installing files
in a directory without having root access. I think this concept is flawed.
Directories should be owned by root, especially if NFS is used.

> Would making all the score-file keeping programs setgid instead of
> setuid make this safer?

Yes. After reading dozens of messages, it seems many agree.

>Anyway, most of the games should be easy to convert to setgid games. Just
>make /var/games 775, eg.

I disagree, and no one else has. Let me explain.

I am not familiar with the dm package, so I may be missing something.

If the games directory is group writable, then any setgid to games
program could replace one of the files in this directory (a trojan
horse attack). This isn't a big threat, if root never executes any
games.  But sys-admin types do play games once in a while. ANd a trojan
horse can be used to break into a sys-admin's account, which can be
used to break into the root account. Paranoid? Perhaps.

If on the other hand the directory is not group writable, then each
file, or subirectory must be created ahead of time. This may require a
bit of extra work, but it it could be part of the install process. A
subdirectory can be created inside that is group writable - just for
the purposes of a single game. Therefore games like rogue/hack can have
saved sessions.

It seems to me that removing group-write privilege from the games
directory is safer.  Any log/score files could be created
group-writable inside a directory that is NOT group writable. Only root
can install games, however.  And then again, as a sys admin, I would
not mind doing the following, especially if someone showed me exactly
what had to be done:

	cp ~user/bin/newgame /usr/games
	chgrp games /usr/games/newgame
	chmod 2755 /usr/games/newgame
	touch /usr/games/newgame.score
	mkdir /usr/games/newgame/newgame.sessions
	chmod 775 /usr/games/newgame/newgame.sessions /usr/games/newgame.score

I would certainly NOT to a "make install" as root, or run a script as
root.  I would do a "make -n install" and then cut and paste the
commands if it seemed safe.

Assuming you do decide to install the game, this seems to be the safest
action to take.

Comments?