[Bug 219972] Review Request: poker-network - A poker server, client and abstract user interface library

Wed Jan 24 23:29:22 UTC 2007

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: poker-network - A poker server, client and abstract user interface library
Alias: poker-network

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972

------- Additional Comments From wart at kobold.org  2007-01-24 18:29 EST -------
(In reply to comment #53)
> > MUSTFIX
> > * Create a 'poker' user for running the server for better security
> 
> I used user "games" instead.

Better to use a custom user account and not the overloaded 'games' account. 
This helps prevent a security breach from one game using the 'games' account
from compromising other games using the 'games' account.  This will require
using 'useradd' in the %pre scriptlet.

> > * Add selinux policies to poker-server for better security
> 
> Need help from you on this.

I'm working on it...

> > * Use double quotes around the sed regsub pattern to avoid potential
> >   problems if %{python_sitelib} were to ever contain a space.
> 
> There already are double quotes around this path in the init file.

But the sed command itself would fail if %{python_sitelib} contained a space,
unless you surround the regsub pattern with double-quotes.

> > NOTES and Questions
> > ===================
> > * Why does the package contain a x509 certificate for 'webmaster at localhost'?
> > 
> 
> 09:38:57       XulChris | dachary: reviewer wants to know: "Why does the package
> contain a x509 certificate for 'webmaster at localhost'?"
> 09:38:57        dachary |  :-)
> 09:39:12        dachary |  for the SSL conx to the poker server
> 09:39:46       XulChris | dachary: i dont know anything about x509 certificates,
> but what if you dont have a webmaster user name or use "localhost"?
> 09:40:12        dachary |  it's a self signed certificate
> 09:40:21        dachary |  the email does not matter much
> 09:40:33       XulChris | so its nothing i have to generate at build time then?
> 09:40:41        dachary |  it's a place holder that must be replaced if you're
> serious about security
> 09:40:47        dachary |  no

I suspected it was something like this.  poker-server admins should be aware
that using the default x509 cert provides no security at all, since everyone has
access to the certificate's private key.  Please document this in README.Fedora.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.