Hi,
On 05/04/2011 10:39 AM, Ludwig Nussel wrote:
Hans de Goede wrote:
> I've made a list of points which I would like us to come to some
> start of standard for below:
> [... ACK]
> 4) Handling of sgid rights for shared/global highscore files
>
> Many games support a global highscore table shared between different
> users, this usually involves sgid games rights, combined with
> a gid games writable score file somewhere under /var.
>
> Having sgid binaries brings certain security issues with it, and
> as we all know most games have not been written really robust
> when it comes to dealing with unexpected input / error handling.
>
> This leads to the following potential attack scenario:
> 1) attacker starts a sgid games game, subverts it
> 2) attacker writes invalid data crafted to subvert
> 2a) the same game, to the highscore file
> 2b) another game, to another highscore file
> 3) intended target starts the game with the malicious
> highscore file
> 4) game does things the attacker wanted with the targets rights
Another attack vector are packages (e.g. %post scripts) that do
things with group games owned files or directories. There's
potential to escalate to root by playing symlink tricks leading to
e.g. a chmod on /etc/shadow or something like that.
Well there should simply be no %post scripts messing with these files,
and rpm itself is smart enough to not fall for symlink attacks. Also
notice that my proposed fix, disallows the user to create a symlink in
the first place, all he gets access to if he subverts the game is a
filehandle to the rw opened score file.
IMO the "global highscore" feature which actually is a
"local
machine highscore" should simply not be enabled by default in distro
packages.
I disagree, why disable a long standing feature of many of these games,
esp. given that there have been very little security issues with this
even though it has been common practice for ages..
An ideal solution would be some kind of standardized highscore
protocol. So games could post their highscore to either a local
highscore daemon or some service on the internet. I guess that's
never going to happen though :-)
That would be cool, I agree :)
Regards,
Hans