Bug 1228058

Summary: AUDIT-0: emacs: setgid-games shared highscore helper program
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dr. Werner Fink <werner>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: matthias.gerstner, wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dr. Werner Fink 2024-07-17 12:35:38 UTC 
Please allow emacs to use a setgid (group "games") helper executable

  /usr/libexec/emacs/%{version}/%{_target_cpu}-suse-linux/update-game-score

to modify score files below

  ll -d /var/games/emacs/
  drwxrwxr-x 2 games games 47 Feb  5 05:07 /var/games/emacs/

Current emacs in project editors now has a new package emacs-games which
shows

-rwxr-sr-x 1 games games 18552 Jul 17 14:29 /usr/libexec/emacs/29.4/x86_64-suse-linux/update-game-score
drwxr-xr-x 2 root  root      0 Jul 17 14:29 /usr/share/permissions/permissions.d
-rw-r--r-- 1 root  root     77 Jul 17 14:29 /usr/share/permissions/permissions.d/emacs-games
-rw-r--r-- 1 root  root     77 Jul 17 14:29 /usr/share/permissions/permissions.d/emacs-games.paranoid
drwxrwxr-x 2 games games     0 Jul 17 14:29 /var/games/emacs
-rw-rw---- 1 games games     0 Jul 17 14:29 /var/games/emacs/snake-scores
-rw-rw---- 1 games games     0 Jul 17 14:29 /var/games/emacs/tetris-scores
Comment 1 Matthias Gerstner 2024-07-17 13:43:44 UTC 
I wouldn't have thought that stuff like this really still exists these days.
It will need a thorough review, but even then I wonder if we want to give away
privileges for a feature that will hardly be used anywhere anymore.
Comment 2 Dr. Werner Fink 2024-07-17 14:01:31 UTC 
(In reply to Matthias Gerstner from comment #1)
> I wouldn't have thought that stuff like this really still exists these days.
> It will need a thorough review, but even then I wonder if we want to give
> away
> privileges for a feature that will hardly be used anywhere anymore.

You mean nobody is playing games with emacs? ... There are a lot of games in emacs as well as a psychotherapist and AFAIK those are still played ... nevertheless I've splitted of emacs-games as its own packages for those
who be a cold fish.
Comment 3 Matthias Gerstner 2024-07-18 07:46:56 UTC 
(In reply to werner@suse.com from comment #2)
> You mean nobody is playing games with emacs? ... There are a lot of games in emacs as well as a psychotherapist and AFAIK those are still played ... nevertheless I've splitted of emacs-games as its own packages for those
> who be a cold fish.

Partly I meant playing games in an editor, but mostly I meant setting up
setuid/setgid bits for implementing shared highscore lists on a system. I
believe there is close to zero systems still present in the world, where people
share a host to play games and share their highscores also.
Comment 4 Matthias Gerstner 2024-07-19 07:13:15 UTC 
The source for update-game-score is about 500 lines of standalone C code. It
seems to be rather old code. Given its size, reviewing it should be managable.