1: Security of bsd-games and bsd-games-non-free
    2: ============================================
    3: 
    4: Some games maintain system-wide score files or logs, and need
    5: appropriate privileges to write to these files.  They can get these
    6: privileges by being installed setgid games, or through the files being
    7: world writable.  If they do not have these privileges, they will run,
    8: but fail to update the score files.  Most of the games were written at
    9: a time when security was not considered important; therefore, making
   10: games setgid has in the past meant that users can get a shell with gid
   11: games, and possibly also get access to the accounts of other games
   12: players by corrupting the score files.  (This will also apply to many
   13: more modern games that are badly written.)
   14: 
   15: In version 2.2, security fixes from OpenBSD have been applied: most of
   16: the games that have score files will open them on startup, and then
   17: drop any setgid privileges completely (including the saved gid).  This
   18: limits the effect of a cracked game to corruption of its score file.
   19: It should be somewhat safer now to make games setgid games than in
   20: versions 2.1 and earlier, but probably not completely safe; phantasia,
   21: sail, rogue, hack and tetris do not currently handle their score files
   22: in the above way, and so should be considered the most dangerous to
   23: install setgid.  If you are auditing these games, phantasia, sail,
   24: rogue, hack and tetris should be considered the most important to
   25: audit.  In versions before 2.14, rogue had an exploitable buffer
   26: overrun (see NetBSD Security Advisory 2002-021).
   27: 
   28: An effect of this security policy is that in some cases the score
   29: files need to be world-readable so that they can be opened for reading
   30: after the game has dropped privileges, or by a score file reading
   31: program that was never privileged.  In versions before 2.10, the
   32: phantasia "characs" file (containing passwords for phantasia
   33: characters) was mistakenly made world readable.
   34: 
   35: You should, of course, only install the games setgid if this is in
   36: line with system security policy.  Games should not be installed
   37: setuid, since if a setuid game is cracked this allows games to be
   38: replaced with trojans.  Games should not be installed setgid to a
   39: system group such as "root" or "daemon".  In some environments, an
   40: acceptable alternative may be not to give the games any special
   41: privileges, but to put trusted users in the games group.
   42: 
   43: An option is to use the "dungeon master" dm to regulate games playing.
   44: I believe this is safe; games that do not need to run setgid drop the
   45: setgid privileges they get from dm on startup.  If dm is setgid, but
   46: the games that access score files are not, then they will keep their
   47: setgid privileges from dm; note that in this case it does not make
   48: sense for dm to be setgid to some gid other than the one (normally
   49: "games") with write access to the score files.
   50: 
   51: This package does not yet support security hardening by giving each
   52: setgid game its own gid, but in some environments you may wish to do
   53: this.
   54: 
   55: ***********************************************************************
   56: *                                                                     *
   57: * DO NOT INSTALL ANY GAMES SETUID, ONLY SETGID.                       *
   58: *                                                                     *
   59: * INSTALLING GAMES SETGID GAMES MIGHT ENABLE TO GET SHELLS WITH GID   *
   60: * GAMES.                                                              *
   61: *                                                                     *
   62: * WHERE GAMES READ A SCORE FILE, IF A USER CAN CORRUPT THIS FILE IT   *
   63: * MIGHT IN SOME CASES MEAN THEY CAN GET ACCESS TO THE ACCOUNTS OF     *
   64: * OTHER USERS PLAYING THAT GAME.                                      *
   65: *                                                                     *
   66: * IF IN DOUBT, CHOOSE THE DEFAULT OPTIONS FOR PERMISSIONS AND DO      *
   67: * WITHOUT SCOREFILES.                                                 *
   68: *                                                                     *
   69: * THESE GAMES COME WITH NO WARRANTY.                                  *
   70: *                                                                     *
   71: ***********************************************************************
   72: 
   73: If you are compiling these games on an operating system other than
   74: Linux, be warned that they rely for their security on
   75: "setregid(getgid(), getgid())" dropping all setgid privileges
   76: permanently, _including the saved gid_.  On some operating systems
   77: this may fail to drop the saved gid (and indeed such operating systems
   78: may provide no way for a process not running as root to revoke
   79: privileges permanently); in such a case, bugs in a game may provide
   80: access to the games group rather than merely to to that game's score
   81: file.
   82: 
   83: Joseph S. Myers
   84: jsm@polyomino.org.uk
   85: 
   86: 
   87: ^L
   88: Local Variables:
   89: mode: text
   90: End: