[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: TR: [Kde-games-devel] KHighscore setuid?
From:       George Staikos <staikos () kde ! org>
Date:       2001-05-06 22:04:39
[Download RAW message or body]

On Sunday 06 May 2001 17:34, Andreas Beckermann wrote:

> > > OK, if you want a complete thermonuclear-overkill to the solution, how
> > > about this?
> >
> > Wouldn't it be easier to use a small suid program that updates the
> > database?
>
> That has come up on kde-games-devel, too. I don't like it as it means we
> have an additional suid program installed on every computer which uses
> libkdegames. The problem is that it is (at least in theory) possible to get
> root rights through this program (even if it is *not* suid root but suid
> games). I think such a possible security hole is not worth the profit we
> get.

  No the suid program would not use libkdegames.  It is not "in theory" 
possible to get root rights.  It is in "practice" if the programming is done 
incorrectly.  

> I'll probably implement it this way: install the highscores by default in
> the users (local) config or (if --enable-highscore-dir was given) into a
> specified directory. The files will be readable by everyone but only
> writeable by the group "games" (could vary among distributions). This way
> *any* user who is member of the group "games" can change the file.

   1) Some games depend on users _not_ being in gid=games.
   2) Systems like schools where they have 3000 accounts on nfs will be 
required to add every user to games if he/she wants to play games 
w/highscores.  That will never happen.
   3) You have to make the directory that hte file is in group writable too.  
Now people can create files in there as they please.  Otherwise if the file 
disappears, no-one can write highscores. 

> We'll use encryption inside KHighscore (as soon as it is in kdelibs as
> George promised) - so that a user can only clear the list, but not fake it.
> I don't know a better (*secure*) way to solve this

    That is insecure because it requires a globally writable file.  What you 
are arguing is that we explicitly open a security hole in exchange for not 
having the possibility of a mistake causing a security hole elsewhere.  This 
makes no sense.

    My plan doesn't not involve encrypting any files.  It involves using 
encryption as a form of authentication so that only the game itself may call 
the suid/sgid helper app to update the highscores file.

-- 

George Staikos

 
>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread]