[V 3.0.5] NetBSD question

Todd Rich wrote:
> darkDrone <family.sens DeleteThis @gmail.com> wrote:
> > hey Todd,
>
> > im guessing you could request your ISP to make the directory where the
> > Angband install is at - write also.
>
> well it seems to be in /usr/local/bin There is a file angband-3.0.5 and a
> directory angband that seems to be just a link to the angband-3.0.5 file.
>
> > but i figure that's probably security related.
>
> Probably not. The game is playable, just not saveable. There is no man
> page installed for it, and it was installed long enough ago that the
> person who did it doesn't work there anymore.
>
> > not much YOU can do to fix it short of setting up a NETBSD install on
> > your PC.
>
> Well, other than the fact the staff isn't sure where to go, they are
> willing to make the changes to make it saveable again, they just aren't
> sure what the right thing is.
>
> Also, in my $home is a .angband directory which contains another directory
> Angband. No files in either directory.

UNIX-style installs of angband are supposed to be save-file
unscummable, which means only the pref files go in ~/.angband. The
executable itself needs to be to be suid root to maintain save files
associated with the insall. (It's been 10 years since I played on a
pure Unix install, so my memory is hazy on the details. OS X works a
different way.)
 >> Stay informed about: [V 3.0.5] NetBSD question 

Your ISP lets you have a shell? And run stuff that's setuid root??
Cool.

OTOH, there's a better way, security-wise -- make a "games" account
with limited privileges but full access to the savefiles and read
access to user home dirs, and run angband setuid games instead.
 >> Stay informed about: [V 3.0.5] NetBSD question 

Julian Lighton wrote:

> Angband should _not_ be setuid root. While I don't know of any bugs
> that would allow one to use it to subvert system security, I am not
> willing to rule out the possibility.
>
> The correct thing to do is to have a special user or group for games
> (or perhaps just for Angband), give it write permission everywhere
> appropriate, and make the binary setuid or setgid to that group. That
> way, a security breach compromises only the games.

Yes, sorry about that. I was thinking about what the cause was, not
what the right way to fix it might be. Sounds like it's all cleared
up, in any case.
 >> Stay informed about: [V 3.0.5] NetBSD question 

darkDrone <family.sens.TakeThisOut@gmail.com> wrote:
> hey Todd,

> im guessing you could request your ISP to make the directory where the
> Angband install is at - write also.

well it seems to be in /usr/local/bin There is a file angband-3.0.5 and a
directory angband that seems to be just a link to the angband-3.0.5 file.

> but i figure that's probably security related.

Probably not. The game is playable, just not saveable. There is no man
page installed for it, and it was installed long enough ago that the
person who did it doesn't work there anymore.

> not much YOU can do to fix it short of setting up a NETBSD install on
> your PC.

Well, other than the fact the staff isn't sure where to go, they are
willing to make the changes to make it saveable again, they just aren't
sure what the right thing is.

Also, in my $home is a .angband directory which contains another directory
Angband. No files in either directory.

Thanks for the help.
Todd
 >> Stay informed about: [V 3.0.5] NetBSD question 

pete mack <pmac360.DeleteThis@hotmail.com> wrote:
(snip)
> UNIX-style installs of angband are supposed to be save-file
> unscummable, which means only the pref files go in ~/.angband. The
> executable itself needs to be to be suid root to maintain save files
> associated with the insall. (It's been 10 years since I played on a
> pure Unix install, so my memory is hazy on the details. OS X works a
> different way.)

Turns out after their last rebuild, it wasn't included in the proper
permissions. They fixed it and my savefile is just fine. 6 months of
play did NOT go down the drain. Whoo-hoo!
Todd
 >> Stay informed about: [V 3.0.5] NetBSD question 

Twisted <twisted0n3.DeleteThis@gmail.com> wrote:
> Your ISP lets you have a shell? And run stuff that's setuid root??
> Cool.

Not quite. I'm at Panix (www.panix.com) and they have a no-dial in shell
account that runs $10/mo or $100/yr.

> OTOH, there's a better way, security-wise -- make a "games" account
> with limited privileges but full access to the savefiles and read
> access to user home dirs, and run angband setuid games instead.

Actually, that is pretty close to what they are doing. The Angband
directory was group owned by "games" but angband wasn't setgid games.

Todd
 >> Stay informed about: [V 3.0.5] NetBSD question 

Weird. It's a security risk they needn't take. As it stands, Joe
Attacker can compromise the whole system if there's a way to exploit
the Angband executable to run arbitrary code (privilege escalation).
With setgid games or similar, the worst an attacker could do with such
an exploit is savefile-scum.
 >> Stay informed about: [V 3.0.5] NetBSD question 

They're worried about risks if it's setgid games, so it's setuid root?!
 >> Stay informed about: [V 3.0.5] NetBSD question 

In article <1142270249.878460.105880.DeleteThis@i40g2000cwc.googlegroups.com>,
pete mack <pmac360.DeleteThis@hotmail.com> wrote:
>UNIX-style installs of angband are supposed to be save-file
>unscummable, which means only the pref files go in ~/.angband. The
>executable itself needs to be to be suid root to maintain save files
>associated with the insall.

Angband should _not_ be setuid root. While I don't know of any bugs
that would allow one to use it to subvert system security, I am not
willing to rule out the possibility.

The correct thing to do is to have a special user or group for games
(or perhaps just for Angband), give it write permission everywhere
appropriate, and make the binary setuid or setgid to that group. That
way, a security breach compromises only the games.
--
Julian Lighton jl8e.DeleteThis@fragment.com
/* You are not expected to understand this. */
 >> Stay informed about: [V 3.0.5] NetBSD question 

On 2006-03-13, Julian Lighton <jl8e.RemoveThis@fragment.com> wrote:
> In article <1142270249.878460.105880.RemoveThis@i40g2000cwc.googlegroups.com>,
> pete mack <pmac360.RemoveThis@hotmail.com> wrote:
>>UNIX-style installs of angband are supposed to be save-file
>>unscummable, which means only the pref files go in ~/.angband. The
>>executable itself needs to be to be suid root to maintain save files
>>associated with the insall.
>
> Angband should _not_ be setuid root. While I don't know of any bugs
> that would allow one to use it to subvert system security, I am not
> willing to rule out the possibility.
>
> The correct thing to do is to have a special user or group for games
> (or perhaps just for Angband), give it write permission everywhere
> appropriate, and make the binary setuid or setgid to that group. That
> way, a security breach compromises only the games.

None of this contradicts anything you say, but I just felt compelled to
blather a lot more once the topic got raised.

FWIW, some people feel that having essentially shared datafiles bewteen
users comprise a sort of attack vector between programs. That is if you
can manage to get angband to put nasty data in say the high score file,
you may then be able to get angband to do things with other users
priveledges when run by other users.

_Some_ admins even worry about setting games setgid games, because it
"escalates" the priveledges of often poorly audited code. Although this
of course brings up the question of what extra priveledges they have
(namely, overwriteing high scores and sometimes save files).

There _have_ been some actual published exploits along the data sharing
line from time to time, though not in angband specifically. Still, it
isn't much removed from users attacking each other by sharing
maliciously crafted documents, which can be theoretically done with any
application really, from emacs to MSWORD.

Mainly I was just initially suspcious that NetBSD wasn't installing
setgid because of worries along these lines. Certainly when I last
worked in releasing UNIX distributions, many games were shipped without
the appropriate setgid for these reasons.

So there you have it. Bugs in angband installed in a shared user setup
could theoretically be an attack vector for users who already hvae
machine access to other users. It's a really lousy attack vector
though, so I lose no sleep over it.
--
Grim. Grom. Grümmer.
 >> Stay informed about: [V 3.0.5] NetBSD question 

Twisted <twisted0n3.RemoveThis@gmail.com> wrote:
> They're worried about risks if it's setgid games, so it's setuid root?!

No, it is setgid games where angband was NOT included and wouldn't run
right. It was NOT, I repeat NOT setuid root! It was in /usr/local/bin
with no write permissions.
 >> Stay informed about: [V 3.0.5] NetBSD question 

I thought someone said earlier that it was setuid root?
 >> Stay informed about: [V 3.0.5] NetBSD question 

Twisted <twisted0n3.DeleteThis@gmail.com> wrote:
> I thought someone said earlier that it was setuid root?

pete mack <pmac360.DeleteThis@hotmail.com> Said that it had to be root to maintain
savefiles, but that is not the case. From what others have said, it only
needs write permissions to the correct directory, which it gets from
setgid 'games'.
 >> Stay informed about: [V 3.0.5] NetBSD question