gnomine: unnecessary setgid [LWN.net]

Package(s):

gnomine

CVE #(s):

Created:

July 8, 2010

Updated:

July 15, 2010

Description:

From the MeeGo advisory:

The /usr/bin/gnomine binary is setgid for the games group. There is no explicit reason to be setgid and this violates best known practices for security; specifically by not using the prinicples of least privilege and unintentionally expanding the attackable surface area of MeeGo.

Alerts:

MeeGo

MeeGo-SA-10:09

2010-07-07

(Log in to post comments)

gnomine: unnecessary setgid

Posted Jul 15, 2010 6:37 UTC (Thu) by rhertzog (subscriber, #4671) [Link]

Many games are setgid on the games group so that they can update a system wide high-score file.

This security advisory does not seem to take this information into account.

On my Debian system:
$ ls -al /usr/games/gnomine
-rwxr-sr-x 1 root games 135580 4 juil. 13:16 /usr/games/gnomine
$ ls -ald /var/games/ /var/games/gnomine.*
drwxr-xr-x 3 root root 4096 7 mai 11:25 /var/games/
-rw-rw-r-- 1 root games 0 3 déc. 2008 /var/games/gnomine.Custom.scores
-rw-rw-r-- 1 root games 0 3 déc. 2008 /var/games/gnomine.Large.scores
-rw-rw-r-- 1 root games 0 3 déc. 2008 /var/games/gnomine.Medium.scores
-rw-rw-r-- 1 root games 0 3 déc. 2008 /var/games/gnomine.Small.scores

gnomine: unnecessary setgid

Posted Jul 15, 2010 10:15 UTC (Thu) by Darkmere (subscriber, #53695) [Link]

MeeGo is by design a single-user environment though, so I don't think there's much difference in a "all users highscore" and "current user highscore" for this situation.