Standardizing various games packaging things across distros

Hans de Goede hdegoede at redhat.com
Wed May 4 02:03:19 PDT 2011 

Hi,

On 05/04/2011 10:39 AM, Ludwig Nussel wrote:
> Hans de Goede wrote:
>> I've made a list of points which I would like us to come to some
>> start of standard for below:
>> [... ACK]
>> 4) Handling of sgid rights for shared/global highscore files
>>
>> Many games support a global highscore table shared between different
>> users, this usually involves sgid games rights, combined with
>> a gid games writable score file somewhere under /var.
>>
>> Having sgid binaries brings certain security issues with it, and
>> as we all know most games have not been written really robust
>> when it comes to dealing with unexpected input / error handling.
>>
>> This leads to the following potential attack scenario:
>> 1) attacker starts a sgid games game, subverts it
>> 2) attacker writes invalid data crafted to subvert
>> 2a) the same game, to the highscore file
>> 2b) another game, to another highscore file
>> 3) intended target starts the game with the malicious
>> highscore file
>> 4) game does things the attacker wanted with the targets rights
>
> Another attack vector are packages (e.g. %post scripts) that do
> things with group games owned files or directories. There's
> potential to escalate to root by playing symlink tricks leading to
> e.g. a chmod on /etc/shadow or something like that.
>

Well there should simply be no %post scripts messing with these files,
and rpm itself is smart enough to not fall for symlink attacks. Also
notice that my proposed fix, disallows the user to create a symlink in
the first place, all he gets access to if he subverts the game is a
filehandle to the rw opened score file.

> IMO the "global highscore" feature which actually is a "local
> machine highscore" should simply not be enabled by default in distro
> packages.

I disagree, why disable a long standing feature of many of these games,
esp. given that there have been very little security issues with this
even though it has been common practice for ages..

> An ideal solution would be some kind of standardized highscore
> protocol. So games could post their highscore to either a local
> highscore daemon or some service on the internet. I guess that's
> never going to happen though :-)

That would be cool, I agree :)

Regards,

Hans

More information about the Games mailing list