Hi, On 05/04/2011 10:39 AM, Ludwig Nussel wrote: > Hans de Goede wrote: >> I've made a list of points which I would like us to come to some >> start of standard for below: >> [... ACK] >> 4) Handling of sgid rights for shared/global highscore files >> >> Many games support a global highscore table shared between different >> users, this usually involves sgid games rights, combined with >> a gid games writable score file somewhere under /var. >> >> Having sgid binaries brings certain security issues with it, and >> as we all know most games have not been written really robust >> when it comes to dealing with unexpected input / error handling. >> >> This leads to the following potential attack scenario: >> 1) attacker starts a sgid games game, subverts it >> 2) attacker writes invalid data crafted to subvert >> 2a) the same game, to the highscore file >> 2b) another game, to another highscore file >> 3) intended target starts the game with the malicious >> highscore file >> 4) game does things the attacker wanted with the targets rights > > Another attack vector are packages (e.g. %post scripts) that do > things with group games owned files or directories. There's > potential to escalate to root by playing symlink tricks leading to > e.g. a chmod on /etc/shadow or something like that. > Well there should simply be no %post scripts messing with these files, and rpm itself is smart enough to not fall for symlink attacks. Also notice that my proposed fix, disallows the user to create a symlink in the first place, all he gets access to if he subverts the game is a filehandle to the rw opened score file. > IMO the "global highscore" feature which actually is a "local > machine highscore" should simply not be enabled by default in distro > packages. I disagree, why disable a long standing feature of many of these games, esp. given that there have been very little security issues with this even though it has been common practice for ages.. > An ideal solution would be some kind of standardized highscore > protocol. So games could post their highscore to either a local > highscore daemon or some service on the internet. I guess that's > never going to happen though :-) That would be cool, I agree :) Regards, Hans _______________________________________________ games mailing list games@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/games
