tag 684178 - security severity 684178 normal thanks On Tue, 07 Aug 2012 16:49:47 +0200 Andreas Beckmann <deb...@abeckmann.de> wrote:
> Package: gpe-tetris > Version: 0.6.4-2 > Severity: grave > Tags: security > Justification: user security hole Highscore data for a game is not related to security. GPE is primarily an embedded platform and is designed for single-user systems (there's no support for multi-user in GPE). The dat file is the highscore data for the game. > drwxrwxrwx 2 root root 60 Aug 7 10:18 /var/games/gpe > -rw-rw-rw- 1 root games 0 Aug 7 10:18 /var/games/gpe/gpe-tetris.dat > > This allows any local user to modify and replace files in there ... That's because the local user needs to write to the highscore data, which is global. gpe-tetris doesn't support multiple highscore data files. > Shouldn't root:games 0664 for gpe-tetris.dat and 0664 will prevent any user setting a highscore. The file needs to be writeable. > root:root 0755 or root:games 0775 for gpe/ be sufficient? $ sudo chown root:games gpe/ $ touch ./gpe/dat touch: cannot touch `./gpe/dat': Permission denied $ sudo chmod 0775 gpe/ $ touch ./gpe/dat touch: cannot touch `./gpe/dat': Permission denied So, no. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgp9WrDs4K30r.pgp
Description: PGP signature
