Michael Thomas wrote:
I've got a few questions regarding the use of the 'games' user and group
for game packages. The resulting recommended practices will be posted
to the Extras/SIGs/Games wiki page.
Daemon processes
================
Some games such as wesnoth and xpilot-ng come with server daemons. I
see three choices for the owner of these daemon processes:
1) root (ick!)
2) Allocate a separate '<gamename>' user for each package/daemon
3) Piggyback on the 'games' user
My preference would be #3. Are there any drawbacks to reusing the
'games' user to run various game daemons?
Scoreboard files
================
Two packages that I recently submitted for review ('rogue' and 'ularn')
use the 'games' group and a setgid executable so that all users have
access to the shared scoreboard file. Are there any security issues
that we need to be aware of when using setgid games?
File ownership
==============
Almost every package that I see in FE uses %defattr(-,root,root,-). Is
there any reason why we shouldn't be using %defattr(-,games,games,-) for
game packages (including documentation, manpages and such)?
The concensus from fedora-devel and fedora-extras is this:
* Use a unique user for each game daemon as a minimum. Layer other
security tools such as selinux on top of that.
* No comment on the use of setgid 'games' executables for writing to a
shared scoreboard file. I'll assume that this is acceptible.
* Files should be owned by root.root, with the exception of the shared
writable files (scoreboard, etc.).
I'll update this on the Extras/SIGs/Games wiki page at some point today.
Thanks for the feedback,
--Mike
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
