Standardizing various games packaging things across distros

[Ludwig Nussel]

Hans de Goede wrote:
> I've made a list of points which I would like us to come to some
> start of standard for below:
> [... ACK]
> 4) Handling of sgid rights for shared/global highscore files
> 
> Many games support a global highscore table shared between different
> users, this usually involves sgid games rights, combined with
> a gid games writable score file somewhere under /var.
> 
> Having sgid binaries brings certain security issues with it, and
> as we all know most games have not been written really robust
> when it comes to dealing with unexpected input / error handling.
> 
> This leads to the following potential attack scenario:
> 1) attacker starts a sgid games game, subverts it
> 2) attacker writes invalid data crafted to subvert
> 2a) the same game, to the highscore file
> 2b) another game, to another highscore file
> 3) intended target starts the game with the malicious
> highscore file
> 4) game does things the attacker wanted with the targets rights

Another attack vector are packages (e.g. %post scripts) that do
things with group games owned files or directories. There's
potential to escalate to root by playing symlink tricks leading to
e.g. a chmod on /etc/shadow or something like that.

IMO the "global highscore" feature which actually is a "local
machine highscore" should simply not be enabled by default in distro
packages. Packages should store their highscore in $HOME.
If daddy wants his offspring to compete he could still set some ACLs
on the global highscore file.

An ideal solution would be some kind of standardized highscore
protocol. So games could post their highscore to either a local
highscore daemon or some service on the internet. I guess that's
never going to happen though :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)