Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Can I remove the "games" group?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
fpemud
Apprentice
Apprentice


Joined: 15 Feb 2012
Posts: 166

PostPosted: Fri Aug 16, 2013 1:23 am    Post subject: Can I remove the "games" group? Reply with quote

I don't see the necessity of this group.
Games are for every normal user, why give it an extra limitation?
A eligible root user should know he is not expected to run games.

Only /usr/games directory holds reference to the games group.
I think I can remove it from /etc/group after I change the owner of /usr/games directory to root:root.
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1433

PostPosted: Fri Aug 16, 2013 1:32 am    Post subject: Reply with quote

You shouldn't. Portage would screw with you on every update by fixing the permissions and adding the group. You should just go with it and add another group to your users.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Fri Aug 16, 2013 6:35 am    Post subject: Re: Can I remove the "games" group? Reply with quote

fpemud wrote:
why give it an extra limitation?

Can help with security - games can have security flaws too.

E.g. Quake backdoor - very naughty.
_________________
Improve your font rendering and ALSA sound
Back to top
View user's profile Send private message
fpemud
Apprentice
Apprentice


Joined: 15 Feb 2012
Posts: 166

PostPosted: Wed Aug 21, 2013 12:58 am    Post subject: Reply with quote

But how does games group help with it?
I think this kind of security hole only affects the current user so long as the game executable is not SUID.
No matter the group of executable is "games" or "root".

The only usage of games group is to limit who can play game and who can not.
But I think take /usr/games/bin out of their PATH env-var is enough if it's dangerous for some powerful users (such as users in wheel group) mistakenly running games. So games group can be out of the way here either.


Last edited by fpemud on Wed Aug 21, 2013 1:04 am; edited 2 times in total
Back to top
View user's profile Send private message
fpemud
Apprentice
Apprentice


Joined: 15 Feb 2012
Posts: 166

PostPosted: Wed Aug 21, 2013 1:02 am    Post subject: Reply with quote

BTW, I changed the group-id of the games group (/etc/group and all the corresponding files), now all the games disappear from gnome-menu.

Is the group-id critical?
Do applications hardcode group-id in their code?
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Aug 21, 2013 1:33 am    Post subject: Reply with quote

The "games" group is nicely appropriate for a shared hi-score file, e.g. ltris.hscr (I think it goes in /var/games/) for ltris.

Ltris might have a security flaw which is exploitable by someone malicious editing that hi-score file in a particular way, so it's good to have its write access restricted to only those in the "games" group.

Quote:
changed the group-id

Re-login, for your user session to be aware of the change.
Back to top
View user's profile Send private message
fpemud
Apprentice
Apprentice


Joined: 15 Feb 2012
Posts: 166

PostPosted: Wed Aug 21, 2013 5:22 am    Post subject: Reply with quote

Quote:
Re-login, for your user session to be aware of the change.


The system has been rebooted.
Hmm, perhaps I missed some file then. I'll recheck tonight.
Thanks.

PaulBredbury wrote:
The "games" group is nicely appropriate for a shared hi-score file, e.g. ltris.hscr (I think it goes in /var/games/) for ltris.


I don't think so.

Itris should create an "itris" group and use this group for it's shared hi-score file.
And the itris executable should have owner "root:itris" and be SGID.
This method is more secure than using games group, because the exploiter can only crack Itris, not the other games.
Many non-game application use this method for their data directory in /var, the one which came into my mind first is gdm.

The method above is incapable if multiple different games share one common hi-score file.
But I don't see this need in any game.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Wed Aug 21, 2013 1:51 pm    Post subject: Reply with quote

An app would have its own group, sure, but these are just games.

Another scenario to consider: You have 3 users, but only want 2 of them to be able to play games.

Having a "games" group is a convenient, sensible, reasonable compromise.
Back to top
View user's profile Send private message
mreff555
Apprentice
Apprentice


Joined: 10 Mar 2011
Posts: 180
Location: Philadelphia

PostPosted: Sat Aug 31, 2013 6:09 pm    Post subject: Reply with quote

fpemud wrote:
But how does games group help with it?
I think this kind of security hole only affects the current user so long as the game executable is not SUID.
No matter the group of executable is "games" or "root".


Not necessarily. The games group is useful if you have a game that you want more than one user to have access, or you just don't want it in your home directory you may need it. Anything old or ported from windows will probably try to write to the installed directory which you don't have permission to access unless you are root or a member of that group.
I don't use games because I really don't have any games on my machine, but I have made a lot of groups for apps where it was necessary to avoid running as root. eg. Matlab or Wireshark.

Bottom Line, I don't use it but i'm not really worried about one extra line in my group file. Maybe you could get rid of it, but I don't loose sleep over it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum