Wart wrote:
I've come across two games so far that allow user-contributed
content,
but am unsure of how to proceed with the file permissions.
The first game, njam, has an in-game editor for users to create new
levels. The directory where user-levels are saved is
/usr/share/njam/levels.
The second game, hack (part of bsd-games), creates 'bones' files when a
character dies. These bones files are later loaded and removed when
other players start a game to create ghosts and treasure piles.
In both cases this user-contributed content needs to be placed in a
directory that is writable by the game binary. This is similar to the
shared scoreboard file, except that in both of these cases the name of
the file is not known in advance, so we can't open a setgid filehandle
when the game starts up and then drop setgid.
hack works around this by not dropping setgid so that the app is free to
create new files in the content directory, which isn't the safest thing
to do.
Does anyone have any ideas on how we can allow this user-contributed
content without sacrificing too much security in the games?
I _really_ believe we shouldn't try to wrangle ourself into all kinda
corners for things like this. Either we can solve things simply, or we
should try to not solve them at all.
My suggestions for the 2 given examples:
-just give hack its own private group and let it run as that, that
reduces the risc to:
-someone manages to get hack-rights
-this someone uses those rights to create malformed input files for
hack
-if someone-else runs hack these malformed input files could cause hack
todo unwanted stuff with someone-else's rights.
Then the question becomes is this an acceptable risk, we could make the
risk even smaller by implementing the suggestions done by Jason so that
the files can be opened immediatly in main and rights dropped, if we do
things Jason's way we probably don't even need a seperate hack user.
-for njam, teach it to save and look for levels under $HOME, if a user
wants to share his levels he can just give them to other users to copy
to their level dir, or ask his sysadmin to put them in the global dir,
why should we assume he wants to share them and jump through hoops to
automaticly share them for him?
Regards,
Hans