Due to gentoo's non standard games group policy, users in groups games can create files arbitrarily in /var/games/xkobo-scores, as xkobo will follow symlinks, this can be abused to overwrite or create files with the permissions of another user. reproduce: cd /var/games/xkobo-scores ln -s /target/file <uid of victim> This is not a bug in xkobo, which was obviously designed to run setgid games, but due to gentoo's group games policy.
Games team, please comment
Late.
games team give permission to mask until a fix is available
As I remember it, the idea is you don't add people that you don't trust to the games group, which was the purpose of having the games group the way that it is on Gentoo. I could be wrong here, as I'm going from memory from *way* back. At any rate, I'll let SpanKY chime in on what he wants to do with it. I would have no problems with masking it, except that I somewhat disagree with the thinking, since this can only be exploited by members of the games group, and becoming a member of the games group must be done explicitly by the administrator.
masked pending resoultion of security issue. do we want a maskglsa?
This is a B3 I tend to vote NO.
tend_to_no++;
/me votes no Changing to enhancement after ~3 votes against a masking GLSA. Pls switch back/comment when the is issue addressed.
Games, do you want to keep this masked or should it be removed?
masked. we'll fix it eventually.
Hi, I am trying various games in Gentoo and I've came across this package mask ... If I get it right ... xkobo writes its records into the directory '/var/games/xkobo-scores' using files with some predictable names. Since 'xkobo-scores' is writable by the 'games' group, anybody within that group can create a file - or a symlink - there. The link can point to any other file on the system. If the link name is a name which xkobo uses and the target file is writable by others and/or by the group 'games' then xkobo overwrites the file with its data. So, from my point of view, this is not a reason to consider it a security risk - 1) If somebody makes own files writable by others or by some group then he must be aware of the chance that they will be overwritten by others. It must be done explicitly, this is not the system default behaviour, so I see no point in protecting users against themselves. 2) Probably, a lot of other games behave the same way (?), they all would have to be masked ... If I get it wrong I am sorry for bothering with my mistakes and please explain where it lies.
1) it doesnt have to be writable by other users, it has to be writable by _you_, which for most people, is all of your files. 2) yes, if you know of any please file bugs.
(In reply to comment #12) > 1) it doesnt have to be writable by other users, it has to be writable by > _you_, which for most people, is all of your files. thanks, I get it ... the game is not installed suid 'games', so it runs with the privileges of the user who started it I do not know what has led me to think it is ... but, wouldn't that be a solution?
games-arcade/xkobo is no longer in portage.
I hereby vote noglsa. Feel free to reopen if you feel otherwise.