Bug 1228058 - AUDIT-0: emacs: setgid-games shared highscore helper program
Summary: AUDIT-0: emacs: setgid-games shared highscore helper program
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-17 12:35 UTC by Dr. Werner Fink
Modified: 2024-07-19 07:13 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dr. Werner Fink 2024-07-17 12:35:38 UTC 
Please allow emacs to use a setgid (group "games") helper executable

  /usr/libexec/emacs/%{version}/%{_target_cpu}-suse-linux/update-game-score

to modify score files below

  ll -d /var/games/emacs/
  drwxrwxr-x 2 games games 47 Feb  5 05:07 /var/games/emacs/

Current emacs in project editors now has a new package emacs-games which
shows

-rwxr-sr-x 1 games games 18552 Jul 17 14:29 /usr/libexec/emacs/29.4/x86_64-suse-linux/update-game-score
drwxr-xr-x 2 root  root      0 Jul 17 14:29 /usr/share/permissions/permissions.d
-rw-r--r-- 1 root  root     77 Jul 17 14:29 /usr/share/permissions/permissions.d/emacs-games
-rw-r--r-- 1 root  root     77 Jul 17 14:29 /usr/share/permissions/permissions.d/emacs-games.paranoid
drwxrwxr-x 2 games games     0 Jul 17 14:29 /var/games/emacs
-rw-rw---- 1 games games     0 Jul 17 14:29 /var/games/emacs/snake-scores
-rw-rw---- 1 games games     0 Jul 17 14:29 /var/games/emacs/tetris-scores
Comment 1 Matthias Gerstner 2024-07-17 13:43:44 UTC 
I wouldn't have thought that stuff like this really still exists these days.
It will need a thorough review, but even then I wonder if we want to give away
privileges for a feature that will hardly be used anywhere anymore.
Comment 2 Dr. Werner Fink 2024-07-17 14:01:31 UTC 
(In reply to Matthias Gerstner from comment #1)
> I wouldn't have thought that stuff like this really still exists these days.
> It will need a thorough review, but even then I wonder if we want to give
> away
> privileges for a feature that will hardly be used anywhere anymore.

You mean nobody is playing games with emacs? ... There are a lot of games in emacs as well as a psychotherapist and AFAIK those are still played ... nevertheless I've splitted of emacs-games as its own packages for those
who be a cold fish.
Comment 3 Matthias Gerstner 2024-07-18 07:46:56 UTC 
(In reply to werner@suse.com from comment #2)
> You mean nobody is playing games with emacs? ... There are a lot of games in emacs as well as a psychotherapist and AFAIK those are still played ... nevertheless I've splitted of emacs-games as its own packages for those
> who be a cold fish.

Partly I meant playing games in an editor, but mostly I meant setting up
setuid/setgid bits for implementing shared highscore lists on a system. I
believe there is close to zero systems still present in the world, where people
share a host to play games and share their highscores also.
Comment 4 Matthias Gerstner 2024-07-19 07:13:15 UTC 
The source for update-game-score is about 500 lines of standalone C code. It
seems to be rather old code. Given its size, reviewing it should be managable.