Gentoo games group leads to security hole - big surprise(!)

[dashkal]

I do rather hope gentoo comes into line with the "standard" use of the games group.
My policy has been simply to roll my own games into /usr/local rather than deal with the oddities of having to actually be in the "games" group.

So yeah, I'm a regular user who disagrees with the games team's stance on restricting games to the games group.

Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway...

[mrsteven]

Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway...

...which you can avoid by mounting /home /tmp /var/tmp with the noexec option.

[Naib]

the bug is obviously in the nethack code

This *is* 100% a bug in nethack

nethack code or not the way gentoo handle games must be fixed
but we can temporaly patch nethack.while working on resloving this issue

By "we" you mean Gentoo:Devs.

This is purely a problem with NetHack that comes visible via Gentoo's use of "games" group. Is the blame Gentoo's? NO is the blame NetHack? YES

No other game that requires a use to be part of "games" group does this so how can it be Gentoo's fault?

I quite like the principle of the Games group make's sense only ppl in the games group can play

[mrsteven]

Indeed it's really simple: If Gentoo handled the permissons for games and game data correctly, there would be no problem. If I followed your argumentation, I'd have to say that all *nix-like OSes are crap, because if you set wrong permissions for example on /dev/hda, bad things can happen.

It is possible to restrict access to the installed games anyway, as it is discussed in the bug report.

[dashkal]

Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway...

...which you can avoid by mounting /home /tmp /var/tmp with the noexec option.

True, but that requires extra work anyway. Without resorting to drastic measures like that, the restricted games policy doesn't actually stop anything.

[CMthoma]

I just noticed that nethack was masked today, came across this thread; sorry for the bump. And sorry if someone has mentioned this elsewhere, it seems brutually obvious, but I just haven't seen it.

Attaining the secure, standard behavior is not an involved process in the least; for me, it was as easy as 3 chmods and a /etc/group edit. You just have to make /usr/games and /usr/games/* world readable and executable, and /usr/games/bin/* world readable, executable, and setgid (that's a 2 in the first octal.) Remove your users from the games group and it works automatically; I played a game of bastet and it read and wrote the high score file no problem.

I've seen it proposed elsewhere that there should be a games-update (akin to etc-update and opengl-update) tool, run following game emerges, in the interim while the nearly 800 packages in games-*/ are fixed, this would be a good solution, I think. All the script needs to do is refresh the perms as I stated above, very simply like so:

Code: Select all

#!/bin/sh

chmod 0755 /usr/games
chmod 0755 /usr/games/*
chmod 2751 /usr/games/bin/*

Naturally, this doesn't cover all games, such as those installed to /opt (All those Id games, for instance.) The script would have to be extended for those cases, or the user would otherwise be advised to do it manually. Of course, this interim standards-compliance hack is completely optional, and would probably only be done by those obsessed with security; the average user that didn't notice the GLSA would go on living their life as normal until they emerge after whatever change in policy occurs (if one occurs at all.)

On another note, I think all the people putting the blame fully on the upstream devs are kind of reaffirming some of the bad stereotypes that users of older, more conventional distros have of us, that we're some kind of fanatical Linux-cult that likes to break things and blame upstream when things go wrong. Obviously Nethack shouldn't have this buffer overflow vulnerability, and its probably a good thing that it got exposed; but how can anyone so vehemently defend the ability for regular users to edit highscore files as has been the Gentoo way since the beginning? Not that I'm attacking anyone, I just don't see the logic in it. I've always personally seen the Gentoo games group as an inappropriate enforcement of policy, anyway, where most everywhere else in Gentoo seems to be more oriented on mechanism.

[Arek75]

Just out of curiosity...Is there a good reason (for the average linux user) that gentoo restricts running games to the members of the games group? I can see such a restriction in a corporate-style envoronment where there's a policy stating "no games on the job", but is that where the majority of Gentoo linux machines end up?

Perhaps, as at least a temporary solution, have games be group-executable for the 'users' group, rather than the 'games' group by default (with USE="gamesgrouprestriction" to revert the behavior). Keeping it restricted to users (imo) is a good idea, since it would keep anonymous users from accessing them.

Additionally, how about adding a 'saves' group for savegames, highscores, nd the like (no group members, tho)? This would help keep problems like this one in NetHack from cropping up again.

--Arek

P.S. None of this excuses NetHack for having faulty code. This is a recommendation for simplifying gentoo's games handling from the users' prospective.

[mrsteven]

Is there anything going on about that? There has been no activity on b.g.o about that since last month... Anybody working on this?

[srm]

regarding bugs.gentoo (http://bugs.gentoo.org/show_bug.cgi?id=125902)
there is discussion about creating a new user/group for every game you will install.
at the first look, i think i would dislike somth. like that, for i feel like this would be kinda messy...on the other hand, mysql also needed new user(s) and i don't think i will pull in all games and therefor hav 20.000 harcore members on my box
so, let's see how this goes...nethack still hardmasked...*waiting for the summertime*

bye

[Archangel1]

Does anyone else think Nethack's approach is a bit weird? Writing savegames to somewhere other than ~ seems a bit twisted...
What's it meant to accomplish anyway? I know that I'm not meant to be able to restore a game if I die, but if I want to take an image of the game's data and copy it back later, I can - heck, if I really wanted to cheat, being required to su isn't going to stop me.

[dleverton]

heck, if I really wanted to cheat, being required to su isn't going to stop me.

It is if you're on a multiuser system where you don't have su access. In that case it's important that you don't cheat, because your games interact with other people's via the bones files and high-score table.

[mikegpitt]

regarding bugs.gentoo (http://bugs.gentoo.org/show_bug.cgi?id=125902)
there is discussion about creating a new user/group for every game you will install.
at the first look, i think i would dislike somth. like that, for i feel like this would be kinda messy...on the other hand, mysql also needed new user(s) and i don't think i will pull in all games and therefor hav 20.000 harcore members on my box
so, let's see how this goes...nethack still hardmasked...*waiting for the summertime*

bye

This seems like a messy solution. I know the system can handle lots of users, but for a home desktop this doesn't appeal to me. I've been using gentoo for too long to remember how other distros handle games, but I'm betting they do something cleaner than creating lots of users.

[Dralnu]

my .02C

move games from /usr/games to /opt/games. A symlink to start would make for a quick fix - drop it in a few months, and fix the handling in the mean time.

Make a group for each game (for an example, nethackexec), with a single group to give you access to EVERY game so that the admin has a normal user without a long list of games.

wherever game data is saved, change the directory's permissions to that of the game itself, and no one else (in this case, nethack:nethack).

It would be alot of work, and while we all know the devs have their own motives, this needs to be fixed CORRECTLY instead of another hack-fix on the system.

This problem may be with a bug in Nethack, but this is a bug that has exposed another problem with our non-FHS compliant system layout and setup.

[mikegpitt]

Ya know... this is something where use flags come in very handy. It would be nice to see a "global-stats" useflag that when enabled allowed scored to be shared. This way, if there was a messy solution liek adding users and groups, at least it can be controled.

Although it is better to fix the problem...

[Archangel1]

heck, if I really wanted to cheat, being required to su isn't going to stop me.

It is if you're on a multiuser system where you don't have su access. In that case it's important that you don't cheat, because your games interact with other people's via the bones files and high-score table.

Yeah that's obviously true - my point was just that if it doesn't work in all cases (and I bet most of the people playing NetHack are doing it on a machine they have the ability to su on), then what's the point in worrying? They're trying to use system permissions to enforce an inability to "cheat", but that only actually works for some of their users, not all.

[dleverton]

Yeah that's obviously true - my point was just that if it doesn't work in all cases (and I bet most of the people playing NetHack are doing it on a machine they have the ability to su on), then what's the point in worrying? They're trying to use system permissions to enforce an inability to "cheat", but that only actually works for some of their users, not all.

That's not the point. No-one cares if you cheat on your own private system - "you're only cheating yourself" and all that - and since you have the source there are innumerable ways you can cheat anyway. The restriction is to stop you from cheating in ways that will affect other people. You can still compile your own hacked version in your home directory, but then that copy can't (or shouldn't be able to, with the "standard" permissions) modify the system-wide files. (It still doesn't protect users from a mischievous admin, but if you don't trust your admin you're screwed anyway.)