Package: circuslinux Version: 1.0.3-35 Severity: wishlist User: [email protected] Usertags: setgid not-gamesteam
The /usr/games/circuslinux executable is setgid games. Because this game depends on libraries that make no attempt to avoid privilege escalation from the caller to the games group, this use of setgid is basically security theatre: it's essentially equivalent to making the high scores world-writeable. In particular, because this game depends on SDL, it's very easy to use it to escalate privileges to the games group. SDL is not designed to be used by set*id executables (reference: https://github.com/libsdl-org/SDL/issues/14717). Discussion on the debian-devel-games list starting at https://lists.debian.org/debian-devel-games/2025/12/msg00016.html (or equivalently https://lists.debian.org/msgid-search/[email protected]) indicates that several games team members think the complexity cost and security implications of games being setgid are too high a price to pay for shared high scores on multi-user systems. Could this game be modified to save game state to a per-user location instead? In SDL 2 or later, the SDL_PrefPath() is likely to be the most suitable place. Unfortunately SDL 1.2 doesn't have that function, but it could be copied or reimplemented if necessary: on Unix, it's an implementation of the XDG_DATA_HOME from the XDG Base Directory specification <https://specifications.freedesktop.org/basedir/latest/>. Ideally the game would copy the high score file from /var/games/circuslinux into the user's home directory during startup in order to preserve existing high scores. Thanks, smcv
