user-writable content in games

Hans de Goede j.w.r.degoede at hhs.nl
Sun Apr 23 20:05:22 UTC 2006 


Wart wrote:
> I've come across two games so far that allow user-contributed content,
> but am unsure of how to proceed with the file permissions.
> 
> The first game, njam, has an in-game editor for users to create new
> levels.  The directory where user-levels are saved is
> /usr/share/njam/levels.
> 
> The second game, hack (part of bsd-games), creates 'bones' files when a
> character dies.  These bones files are later loaded and removed when
> other players start a game to create ghosts and treasure piles.
> 
> In both cases this user-contributed content needs to be placed in a
> directory that is writable by the game binary.  This is similar to the
> shared scoreboard file, except that in both of these cases the name of
> the file is not known in advance, so we can't open a setgid filehandle
> when the game starts up and then drop setgid.
> 
> hack works around this by not dropping setgid so that the app is free to
> create new files in the content directory, which isn't the safest thing
> to do.
> 
> Does anyone have any ideas on how we can allow this user-contributed
> content without sacrificing too much security in the games?
> 

I _really_ believe we shouldn't try to wrangle ourself into all kinda
corners for things like this. Either we can solve things simply, or we
should try to not solve them at all.

My suggestions for the 2 given examples:
-just give hack its own private group and let it run as that, that
 reduces the risc to:
 -someone manages to get hack-rights
 -this someone uses those rights to create malformed input files for
  hack
 -if someone-else runs hack these malformed input files could cause hack
  todo unwanted stuff with someone-else's rights.
 Then the question becomes is this an acceptable risk, we could make the
 risk even smaller by implementing the suggestions done by Jason so that
 the files can be opened immediatly in main and rights dropped, if we do
 things Jason's way we probably don't even need a seperate hack user.
-for njam, teach it to save and look for levels under $HOME, if a user
 wants to share his levels he can just give them to other users to copy
 to their level dir, or ask his sysadmin to put them in the global dir,
 why should we assume he wants to share them and jump through hoops to
 automaticly share them for him?

Regards,

Hans

More information about the games mailing list