View previous topic :: View next topic |
Author |
Message |
fpemud Guru
Joined: 15 Feb 2012 Posts: 349
|
Posted: Fri Aug 16, 2013 1:23 am Post subject: Can I remove the "games" group? |
|
|
I don't see the necessity of this group.
Games are for every normal user, why give it an extra limitation?
A eligible root user should know he is not expected to run games.
Only /usr/games directory holds reference to the games group.
I think I can remove it from /etc/group after I change the owner of /usr/games directory to root:root. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Fri Aug 16, 2013 1:32 am Post subject: |
|
|
You shouldn't. Portage would screw with you on every update by fixing the permissions and adding the group. You should just go with it and add another group to your users. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Fri Aug 16, 2013 6:35 am Post subject: Re: Can I remove the "games" group? |
|
|
fpemud wrote: | why give it an extra limitation? |
Can help with security - games can have security flaws too.
E.g. Quake backdoor - very naughty. _________________ Improve your font rendering and ALSA sound |
|
Back to top |
|
|
fpemud Guru
Joined: 15 Feb 2012 Posts: 349
|
Posted: Wed Aug 21, 2013 12:58 am Post subject: |
|
|
But how does games group help with it?
I think this kind of security hole only affects the current user so long as the game executable is not SUID.
No matter the group of executable is "games" or "root".
The only usage of games group is to limit who can play game and who can not.
But I think take /usr/games/bin out of their PATH env-var is enough if it's dangerous for some powerful users (such as users in wheel group) mistakenly running games. So games group can be out of the way here either.
Last edited by fpemud on Wed Aug 21, 2013 1:04 am; edited 2 times in total |
|
Back to top |
|
|
fpemud Guru
Joined: 15 Feb 2012 Posts: 349
|
Posted: Wed Aug 21, 2013 1:02 am Post subject: |
|
|
BTW, I changed the group-id of the games group (/etc/group and all the corresponding files), now all the games disappear from gnome-menu.
Is the group-id critical?
Do applications hardcode group-id in their code? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Aug 21, 2013 1:33 am Post subject: |
|
|
The "games" group is nicely appropriate for a shared hi-score file, e.g. ltris.hscr (I think it goes in /var/games/) for ltris.
Ltris might have a security flaw which is exploitable by someone malicious editing that hi-score file in a particular way, so it's good to have its write access restricted to only those in the "games" group.
Quote: | changed the group-id |
Re-login, for your user session to be aware of the change. |
|
Back to top |
|
|
fpemud Guru
Joined: 15 Feb 2012 Posts: 349
|
Posted: Wed Aug 21, 2013 5:22 am Post subject: |
|
|
Quote: | Re-login, for your user session to be aware of the change. |
The system has been rebooted.
Hmm, perhaps I missed some file then. I'll recheck tonight.
Thanks.
PaulBredbury wrote: | The "games" group is nicely appropriate for a shared hi-score file, e.g. ltris.hscr (I think it goes in /var/games/) for ltris.
|
I don't think so.
Itris should create an "itris" group and use this group for it's shared hi-score file.
And the itris executable should have owner "root:itris" and be SGID.
This method is more secure than using games group, because the exploiter can only crack Itris, not the other games.
Many non-game application use this method for their data directory in /var, the one which came into my mind first is gdm.
The method above is incapable if multiple different games share one common hi-score file.
But I don't see this need in any game. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Wed Aug 21, 2013 1:51 pm Post subject: |
|
|
An app would have its own group, sure, but these are just games.
Another scenario to consider: You have 3 users, but only want 2 of them to be able to play games.
Having a "games" group is a convenient, sensible, reasonable compromise. |
|
Back to top |
|
|
mreff555 Apprentice
Joined: 10 Mar 2011 Posts: 231 Location: Philadelphia
|
Posted: Sat Aug 31, 2013 6:09 pm Post subject: |
|
|
fpemud wrote: | But how does games group help with it?
I think this kind of security hole only affects the current user so long as the game executable is not SUID.
No matter the group of executable is "games" or "root".
|
Not necessarily. The games group is useful if you have a game that you want more than one user to have access, or you just don't want it in your home directory you may need it. Anything old or ported from windows will probably try to write to the installed directory which you don't have permission to access unless you are root or a member of that group.
I don't use games because I really don't have any games on my machine, but I have made a lot of groups for apps where it was necessary to avoid running as root. eg. Matlab or Wireshark.
Bottom Line, I don't use it but i'm not really worried about one extra line in my group file. Maybe you could get rid of it, but I don't loose sleep over it. |
|
Back to top |
|
|
|