[Fedora-packaging] Re: Packaging a game, need help with setgid security

[Hans de Goede]

Hi,

On 09/01/2009 05:52 AM, Ryan Rix wrote:
> Andrea Musuruane wrote:
>
>> On Mon, Aug 31, 2009 at 7:55 AM, Ryan Rix<phrkonaleash at gmail.com>  wrote:
>>> Like many roguelikes, it has a shared high score file and Bones files
>>> that all users are meant to have their scores and final data written to.
>>> As a result, the game is forced to run setgid games so that it has the
>>> rights to write to /var/games/ivan/. While packaging this application, I
>>> got a lot of help from some of the Fedora-KDE guys (hi Kevin, Ben) and
>>> they both suggested I run this through Fedora Security SIG so that the
>>> game would properly demote itself to non-setgid when it doesn't need to.
>>>
>>> What is the proper channel to go about this? Should I just mail to the
>>> security list? Should I put this package up for review beforehand/in the
>>> meantime?
>>
>> The game must drop setuid as early as possible:
>> http://fedoraproject.org/wiki/SIGs/Games/Packaging
>>
>> If you need help, consider writing to the fedora-games-list:
>> http://www.redhat.com/mailman/listinfo/fedora-games-list
>
> I didn't think of this when I first wrote my post but now am realizing that
> the application creates Bones files when a player dies in /var/games/ivan...
> :( How would I apply setgid rules to this scenario? I cannot accurately
> predict the name of the bones file in the main() and cannot create a new
> file every single time the application starts up, so I am unsure of how to
> handle that.
>
> Suggestions?
>

This is a known issue with roguelikes, we've solved this for the other roguelikes
(see there spec files) by creating a group esp. for the game and making it sgid
itsowngroup and never dropping the sgid rights. This way we strongly limit the
amount of damage / attacks which can be done by not dropping sgid, this is the
best security versus usability trade off we could come up with for rogue likes.

Regards,

Hans