games user and group
Michael Thomas
wart at kobold.org
Fri Mar 3 18:25:49 UTC 2006
Michael Thomas wrote:
> I've got a few questions regarding the use of the 'games' user and group
> for game packages. The resulting recommended practices will be posted
> to the Extras/SIGs/Games wiki page.
>
> Daemon processes
> ================
> Some games such as wesnoth and xpilot-ng come with server daemons. I
> see three choices for the owner of these daemon processes:
>
> 1) root (ick!)
> 2) Allocate a separate '<gamename>' user for each package/daemon
> 3) Piggyback on the 'games' user
>
> My preference would be #3. Are there any drawbacks to reusing the
> 'games' user to run various game daemons?
>
> Scoreboard files
> ================
> Two packages that I recently submitted for review ('rogue' and 'ularn')
> use the 'games' group and a setgid executable so that all users have
> access to the shared scoreboard file. Are there any security issues
> that we need to be aware of when using setgid games?
>
> File ownership
> ==============
> Almost every package that I see in FE uses %defattr(-,root,root,-). Is
> there any reason why we shouldn't be using %defattr(-,games,games,-) for
> game packages (including documentation, manpages and such)?
The concensus from fedora-devel and fedora-extras is this:
* Use a unique user for each game daemon as a minimum. Layer other
security tools such as selinux on top of that.
* No comment on the use of setgid 'games' executables for writing to a
shared scoreboard file. I'll assume that this is acceptible.
* Files should be owned by root.root, with the exception of the shared
writable files (scoreboard, etc.).
I'll update this on the Extras/SIGs/Games wiki page at some point today.
Thanks for the feedback,
--Mike
More information about the fedora-extras-list
mailing list