Package: hannah Version: 2.0.1+ds1-0.3 Severity: normal Tags: patch User: [email protected] Usertags: setgid not-gamesteam X-Debbugs-Cc: Alexandre Detiste <[email protected]>
The executable /usr/games/hannah is currently setgid games, giving it elevated privileges when compared with its caller. As recently discussed on the debian-devel-games list [0], setgid is a big hammer which doesn't seem particularly justified for a simple high-score table. For this specific game, when I started looking into it, I noticed that the setgid privilege is not actually effective for providing a shared system-wide high score table, for two reasons: - the patch to make the game write to /var/games/hannah/ is still present but hasn't actually been applied since trixie, so all players since trixie will have stored their high scores in ~/.hannah/; - and even if the patch was applied, it wouldn't work as intended, because nothing creates /var/games/hannah/ with suitable permissions, so the game can't write there even with setgid So I think it would be most sensible to just drop the patch and not have setgid. I've provided a MR at https://salsa.debian.org/debian/hannah/-/merge_requests/1 (not yet tested but I believe it should work) implementing that, with a followup at https://salsa.debian.org/debian/hannah/-/merge_requests/2 to deal with some other cleanup that I noticed while I was there. Marga, I see you're the maintainer of record for this package but you haven't touched it since 2008. If someone (Alexandre?) is interested in maintaining this game, would you like the Games Team to adopt it? Thanks, smcv [0] thread starts at https://lists.debian.org/debian-devel-games/2025/12/msg00016.html aka https://lists.debian.org/msgid-search/[email protected]
