View previous topic :: View next topic |
Author |
Message |
Dolda2000 n00b
Joined: 05 Mar 2004 Posts: 37 Location: Täby, Sweden
|
Posted: Wed Jun 08, 2005 1:37 am Post subject: Gentoo and the `games' group |
|
|
Hi Gentoo lovers!
I'd be glad if someone could answer a question that has had me flabbergasted since I first installed Gentoo: Why does Gentoo completely break the `games' group?
As we all know, the traditional use of the games group is to enable games to keep a system-wide highscore that cannot be modified by any user by being SGID games. A pretty nifty feature, if you ask me. Every distro except Gentoo that I've ever seen does this.
Gentoo, however, completely ignores this and not only does not set SGID games on game executables, but also requires users to actually be in the games group to be allowed to even play games. This not only breaks highscore keeping for games that are executable by those outside the games group (e.g. gnome-games), but also makes it more than just a little ugly to have Gentoo interoperate with other distros. If I'm having a user in the games group on my NIS server, so that he can play games on Gentoo machines, he can also edit the highscore files on non-Gentoo machines. Admittedly, that's not exactly a first priority security breach, but it is most certainly ugly.
So again, my question is: Why? It seems fairly worthless anyway, since if a user wants to play a game, he can just download the source and compile it himself either way, so it doesn't exactly stop anyone anyway...
I'd also like to pose a second question: Is it possible to revert this for all games packages in some easy way? |
|
Back to top |
|
|
-=GGW=- $ol!d $n4>|e Veteran
Joined: 12 Apr 2004 Posts: 1616 Location: USA
|
Posted: Wed Jun 08, 2005 1:59 am Post subject: |
|
|
I think having a games groupo is very usefull, it discourages anyone who you dont want playing games from playing them, also, why shouldn't gentoo reign superior over other ddistros high scores.. |
|
Back to top |
|
|
makomk n00b
Joined: 15 Jul 2005 Posts: 46 Location: Not all there
|
Posted: Sat Aug 13, 2005 2:22 pm Post subject: |
|
|
I can't seem to find an official answer to this question. Does anyone know why the Gentoo developers decided to give the "games" group a different meaning from the more usual one?
As Dolda200 said, it does seem pretty pointless to restrict who can run games (at least in the default setup - a few people might find it useful). It's also a bit confusing, and ignores what I gather is a long-standing tradition of using setgid game executables to protect high score tables from tampering. |
|
Back to top |
|
|
andrewd18 Guru
Joined: 11 Apr 2004 Posts: 364 Location: Wisconsin, USA
|
Posted: Sat Aug 13, 2005 6:57 pm Post subject: |
|
|
Quote: | I can't seem to find an official answer to this question. Does anyone know why the Gentoo developers decided to give the "games" group a different meaning from the more usual one? |
BECAUSE GAMES ARE BAD. I DON'T WANT PEOPLE IN MY HOUSEHOLD PLAYING ANYTHING AT ALL. NOT DOOM3, NOT TUXRACER, NOT EVEN FSCKING GNOBOTS. SO THERE.
On a serious note, does it really break the games group? Does the games group even have any meaning outside of Gentoo (I can play games in SUSE whether or not I'm in the games group...)?
~~ Andrew D. _________________ Keep Your Toolchain Stable! - emwrap.sh
There's no place like ::1 |
|
Back to top |
|
|
Aynjell Veteran
Joined: 28 Jun 2004 Posts: 1117
|
Posted: Sat Aug 13, 2005 7:08 pm Post subject: |
|
|
Isn't games group basically just putting /usr/games/bin into your path? _________________ CPU: 3800+ X2 (2.5Ghz)
GPU: eVGA 7600GT (640/1700)
MOBO: DFI SLI-DR (Surprisingly good!)
RAM: 2 x OCZ Gold 1024 DDR500 3-4-3-7 (2048)
HDD: Western Digital Raptor |
|
Back to top |
|
|
makomk n00b
Joined: 15 Jul 2005 Posts: 46 Location: Not all there
|
Posted: Sun Aug 14, 2005 4:32 pm Post subject: |
|
|
Aynjell wrote: | Isn't games group basically just putting /usr/games/bin into your path? |
No. Adding someone to the games group may add /usr/games/bin to the user's path (though I think it's there anyway), but the main purpose is to allow them to actually execute the games. If you
Code: | ls -l /usr/games/bin/ |
you'll see that only root and members of the games group have execute permissions for the games, which means that they are the only ones who can run them. (Also note that users who aren't in the games group will probably find games don't turn up in shell command completion, even if /usr/games/bin is in their path, because the games aren't executable.) |
|
Back to top |
|
|
UncleOwen Veteran
Joined: 27 Feb 2003 Posts: 1493 Location: Germany, Hamburg
|
Posted: Sun Aug 14, 2005 8:54 pm Post subject: |
|
|
andrewd18 wrote: | On a serious note, does it really break the games group? Does the games group even have any meaning outside of Gentoo (I can play games in SUSE whether or not I'm in the games group...)? |
Yes, it does. Read Dolda2000's post. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sun Aug 14, 2005 9:33 pm Post subject: |
|
|
how does it break it? the games group is in the users group (or at least it is on my system). see the /etc/group file. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
UncleOwen Veteran
Joined: 27 Feb 2003 Posts: 1493 Location: Germany, Hamburg
|
Posted: Sun Aug 14, 2005 10:06 pm Post subject: |
|
|
Yes, games is in users. I don't see your point. |
|
Back to top |
|
|
reub2000 Guru
Joined: 31 Jan 2004 Posts: 364
|
Posted: Sun Aug 14, 2005 10:26 pm Post subject: |
|
|
Quote: | So again, my question is: Why? It seems fairly worthless anyway, since if a user wants to play a game, he can just download the source and compile it himself either way, so it doesn't exactly stop anyone anyway... |
Mount all partitions that have places that the user can write to with the noexec option. An extreme solution to stop a user from playing games, but I think it would work. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Mon Aug 15, 2005 12:50 am Post subject: |
|
|
UncleOwen wrote: | Yes, games is in users. I don't see your point. |
Mine, or the original posters? _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
UncleOwen Veteran
Joined: 27 Feb 2003 Posts: 1493 Location: Germany, Hamburg
|
Posted: Mon Aug 15, 2005 2:14 pm Post subject: |
|
|
Yours. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Tue Aug 16, 2005 12:38 am Post subject: |
|
|
any user in the users group is automatically in the games group. i fail to see how the games group is broken. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
UncleOwen Veteran
Joined: 27 Feb 2003 Posts: 1493 Location: Germany, Hamburg
|
Posted: Tue Aug 16, 2005 8:59 am Post subject: |
|
|
beugh wrote: | any user in the users group is automatically in the games group. |
No, it's the other way 'round. But even that would be broken (in the sense discussed in this thread), because no one should be in the games group. |
|
Back to top |
|
|
Ibn al-Hazardous Tux's lil' helper
Joined: 02 Sep 2004 Posts: 133 Location: Somewhere deep in the desert.
|
Posted: Tue Aug 16, 2005 1:10 pm Post subject: |
|
|
beugh wrote: | any user in the users group is automatically in the games group. i fail to see how the games group is broken. |
The point is: No user should be in the games group, because users should not be allowed to edit hiscores by hand. Only game executables should do that, and therefore only game executables should be "in the games group". That way, hiscores etc can be shared computerwide. But sharing users via NIS makes it awkward to retain this feature of every other (larger than tiny) distro, if you want to allow a user to play games on gentoo. _________________ /Ibn |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Wed Aug 17, 2005 1:08 am Post subject: |
|
|
Ibn al-Hazardous wrote: | The point is: No user should be in the games group, because users should not be allowed to edit hiscores by hand. Only game executables should do that, and therefore only game executables should be "in the games group". That way, hiscores etc can be shared computerwide. |
Then why does portage tell you...
Quote: |
* Remember, in order to play games, you have to
* be in the 'games' group.
|
This has been the default behaviour since I started using gentoo almost 2 years ago.
Maybe this should belong in "Portage and Programming" instead of "Games and Players". If you really feel that this is a security issue, how about making the world a patch or something? Instead of bitching about it, fix it! I still fail to see how this is a REAL problem. It's a high-score file for fsck's sakes, not something important like your boot configuration. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
Dolda2000 n00b
Joined: 05 Mar 2004 Posts: 37 Location: Täby, Sweden
|
Posted: Thu Sep 15, 2005 1:32 am Post subject: |
|
|
beugh wrote: | Then why does portage tell you...
Quote: |
* Remember, in order to play games, you have to
* be in the 'games' group.
|
|
Because Gentoo requires it. My point from the beginning was that Gentoo is the only distro that does this. All other distros, and all other flavors of Unix as well (as far as I know, at least) don't do this. What they do is having the games group reserved for game executables, which are SGID games. Therefore, the game executables alone can edit the hiscore files. Like Ibn-al Hazardour said, this is an especially large problem when sharing passwd directory info over NIS or similar.
beugh wrote: | This has been the default behaviour since I started using gentoo almost 2 years ago.
Maybe this should belong in "Portage and Programming" instead of "Games and Players". If you really feel that this is a security issue, how about making the world a patch or something? Instead of bitching about it, fix it! I still fail to see how this is a REAL problem. It's a high-score file for fsck's sakes, not something important like your boot configuration. |
Isn't "being ugly" enough reason to fix something? I would fix it myself, but I'd like to hear the opinion of the Gentoo devs first, to see why they did it the way they did, breaking all of Unix gaming tradition. There's no point in submitting a patch if the devs have their own opinions and won't accept it. |
|
Back to top |
|
|
BlackEdder Advocate
Joined: 26 Apr 2004 Posts: 2588 Location: Dutch enclave in Egham, UK
|
Posted: Thu Sep 15, 2005 10:05 am Post subject: |
|
|
I think the best way to go about this is to post a bug report assigned to the games group, they should tell you why it was decided to do it this way. You could also try to email them directly.
Posting here won't help, because the devs rarely read the fora. |
|
Back to top |
|
|
|