Summary: | games-arcade/xkobo: insecure file creation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | games, gentoobugs, jaak, kavol |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tavis Ormandy (RETIRED)
2006-02-10 11:53:32 UTC
Games team, please comment Late. games team give permission to mask until a fix is available As I remember it, the idea is you don't add people that you don't trust to the games group, which was the purpose of having the games group the way that it is on Gentoo. I could be wrong here, as I'm going from memory from *way* back. At any rate, I'll let SpanKY chime in on what he wants to do with it. I would have no problems with masking it, except that I somewhat disagree with the thinking, since this can only be exploited by members of the games group, and becoming a member of the games group must be done explicitly by the administrator. masked pending resoultion of security issue. do we want a maskglsa? This is a B3 I tend to vote NO. tend_to_no++; /me votes no Changing to enhancement after ~3 votes against a masking GLSA. Pls switch back/comment when the is issue addressed. Games, do you want to keep this masked or should it be removed? masked. we'll fix it eventually. Hi, I am trying various games in Gentoo and I've came across this package mask ... If I get it right ... xkobo writes its records into the directory '/var/games/xkobo-scores' using files with some predictable names. Since 'xkobo-scores' is writable by the 'games' group, anybody within that group can create a file - or a symlink - there. The link can point to any other file on the system. If the link name is a name which xkobo uses and the target file is writable by others and/or by the group 'games' then xkobo overwrites the file with its data. So, from my point of view, this is not a reason to consider it a security risk - 1) If somebody makes own files writable by others or by some group then he must be aware of the chance that they will be overwritten by others. It must be done explicitly, this is not the system default behaviour, so I see no point in protecting users against themselves. 2) Probably, a lot of other games behave the same way (?), they all would have to be masked ... If I get it wrong I am sorry for bothering with my mistakes and please explain where it lies. 1) it doesnt have to be writable by other users, it has to be writable by _you_, which for most people, is all of your files. 2) yes, if you know of any please file bugs. (In reply to comment #12) > 1) it doesnt have to be writable by other users, it has to be writable by > _you_, which for most people, is all of your files. thanks, I get it ... the game is not installed suid 'games', so it runs with the privileges of the user who started it I do not know what has led me to think it is ... but, wouldn't that be a solution? games-arcade/xkobo is no longer in portage. I hereby vote noglsa. Feel free to reopen if you feel otherwise. |