Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Dev

Do we need games group and all that game prefixes?

 

 

Gentoo dev RSS feed   Index | Next | Previous | View Threaded


mgorny at gentoo

May 20, 2012, 9:26 AM

Post #1 of 13 (614 views)
Permalink
Do we need games group and all that game prefixes?

Hello,

In today's MythBusters™: do we actually need the whole ugly-awful
mangling games.eclass does for games? By that I mean:
- installing games in random pre-/postfixes rather than standard FHS-y
locations,
- changing ownership and permissions of all the files.

Do we really need all of this poor man's 'you shall not play our
games'? I don't think we're using anything like /usr/office & office
group, or /usr/random-programs-i-dont-like.

Random obscurity only makes things harder. And proves no point unless
we're going to ensure that all web browsers, ssh clients and other
applications in danger of being used to play games. And while we're at
it, why don't we just take the computer away and work on paper sheets?
Oh wait, someone could play tic-tac-toe on it...

So, my proposition is: finally drop that. Install games in regular
prefixes, like all other apps. Don't pollute systems with unnecessary
security perimeters which don't provide any real benefit.

Any comments?

--
Best regards,
Michał Górny
Attachments: signature.asc (0.31 KB)


lxnay at gentoo

May 20, 2012, 9:53 AM

Post #2 of 13 (600 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

I second that.
simplicity = win.

--
Fabio Erculiani


mk at dee

May 20, 2012, 10:16 AM

Post #3 of 13 (600 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Sun, May 20, 2012 at 7:26 PM, Michał Górny <mgorny [at] gentoo> wrote:
> - changing ownership and permissions of all the files.

As a side note: why is /usr/games owned by uid "games"? Does
games_pkg_setup() in games.eclass do that? What's the point of user
"games" (as opposed to group with same name)?

> Do we really need all of this poor man's 'you shall not play our
> games'? I don't think we're using anything like /usr/office & office
> group, or /usr/random-programs-i-dont-like.

Games are rather unique in that they sometimes keep scores across
multiple users.

> Random obscurity only makes things harder. And proves no point unless
> we're going to ensure that all web browsers, ssh clients and other
> applications in danger of being used to play games.

Sometimes users do not have Internet access or even ability to connect
removable media.

--
Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)


ormaaj at gmail

May 20, 2012, 10:22 AM

Post #4 of 13 (594 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Sunday, May 20, 2012 06:26:17 PM Michał Górny wrote:
> Do we really need all of this poor man's 'you shall not play our
> games'? I don't think we're using anything like /usr/office & office
> group, or /usr/random-programs-i-dont-like.

I'd put money on there not being a single admin who has ever used the games
group to control access to games. Games really have no business being on a
system where anything like that is a requirement to begin with.

> So, my proposition is: finally drop that. Install games in regular
> prefixes, like all other apps. Don't pollute systems with unnecessary
> security perimeters which don't provide any real benefit.
>
> Any comments?

Is there any way to keep the games group around while not doing the weird
intrusive installation prefix? I have always disliked the prefix and don't see
the point of it.

However, requiring a special group for games restricts access by certain
unprivileged programs which run as their own user/group for security reasons,
thus providing a very slight security benefit. Or someone may have a user they
use which doesn't require access to nonessential programs like games, which
tend to be big complex programs less well-audited for security bugs.
--
Dan Douglas
Attachments: signature.asc (0.19 KB)


marienz at gentoo

May 20, 2012, 10:57 AM

Post #5 of 13 (597 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

+1 on getting rid of the munging. In my opinion games aren't nearly
special enough to get this kind of special treatment.

On zo, 2012-05-20 at 20:16 +0300, Maxim Kammerer wrote:
> Games are rather unique in that they sometimes keep scores across
> multiple users.

Yes, and that's frequently handled by making them setgid to some group
that actual user accounts are not in, allowing the games to write to
their own statedir without allowing users to mess with those files by
hand. Gentoo's approach actually breaks this, as it's already using the
group the game executables are in for access control (so actual user
accounts *are* in the group the game executables are in). This leads to
bug 125902, which contains a lengthy discussion on this same subject.

My personal opinion is that Gentoo's games setup only helps on systems
that have no or heavily restricted network access, no or heavily
restricted access to external media, has actual games installed
system-wide, and needs access to those restricted to some accounts
through technical means. I think such a setup is sufficiently uncommon
we shouldn't specialcase games this heavily to support them. I don't
think restricting games for resource consumption reasons makes sense, as
people will virtually always be able to uselessly consume resources some
other way. And I don't think restricting access to games because they're
offensive/a waste of time/etc makes sense on the majority of systems, as
people will be able to access similar content through other means, or
will be able to install games into their homedir.

However, when this came up in the past Gentoo's games project (which
does an outstanding job maintaining a *lot* of games ebuilds) was
opposed to changing this as the current setup isn't actually *broken*
(for the majority of games), and changing things around a lot of work.
So I'd like to request they reconsider (and start installing new/updated
games in a more normal way), but as they're the ones doing most of the
work here I think it makes sense to leave the decision with them.

--
Marien Zwart


xmw at gentoo

May 20, 2012, 1:29 PM

Post #6 of 13 (591 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/20/2012 07:22 PM, Dan Douglas wrote:

> I'd put money on there not being a single admin who has ever used
> the games group to control access to games. Games really have no
> business being on a system where anything like that is a
> requirement to begin with.
We (students council) use pam_ldap for users and primary groups and
pam_group w/ /etc/security/group.conf for secondary groups like
video,sound,games.

We actually considered restricting the games group to certain login
times (i.e. after 18 pm ) to prevent our fellow students from gaming
during office hours, but that just lead to long time sessions
over-night. Since group memberships are evaluated on session creation.

I can imagine some multi-user setups (parents/children) were some user
shouldn't play games-fps/* at all.
But who actually shares a computer these days.

One real benefit of extra groups is some chmod g+s hack for e.g. skype
in combination with firewall rules restricting outbound connections.
http://soup.xmw.de/post/151673185/Restricting-Skype-on-Gentoo

Have a nice day ...

- --
Gentoo Dev
http://xmw.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk+5VCgACgkQknrdDGLu8JB8SwD+JARCPBmK13Sl2/n3dsWWx/8p
LBH6j18YbfD1+IWpXaUA/iWCgTS3TI78kSTwe0hnASc+7wTygiWvIcxlPmcv9LtQ
=XXxi
-----END PGP SIGNATURE-----


ormaaj at gmail

May 20, 2012, 1:53 PM

Post #7 of 13 (594 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Sunday, May 20, 2012 10:29:28 PM Michael Weber wrote:
> On 05/20/2012 07:22 PM, Dan Douglas wrote:
> > I'd put money on there not being a single admin who has ever used
> > the games group to control access to games. Games really have no
> > business being on a system where anything like that is a
> > requirement to begin with.
>
> We (students council) use pam_ldap for users and primary groups and
> pam_group w/ /etc/security/group.conf for secondary groups like
> video,sound,games.
>
> We actually considered restricting the games group to certain login
> times (i.e. after 18 pm ) to prevent our fellow students from gaming
> during office hours, but that just lead to long time sessions
> over-night. Since group memberships are evaluated on session creation.
>

Yes, that's essentially what I was thinking would be the most likely
scenario. Still, as marienz pointed out, having workstations where access to
games is undesired, yet where they're installed nevertheless, isn't the most
common.

I'm in favor of the games group (per the second half of my last message and
for other reasons), just not extra unnecessary installation steps that
complicate the directory structure unless there's some real benefit to someone
(e.g. NFS).
--
Dan Douglas
Attachments: signature.asc (0.19 KB)


waltdnes at waltdnes

May 21, 2012, 12:17 AM

Post #8 of 13 (590 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Sun, May 20, 2012 at 08:16:44PM +0300, Maxim Kammerer wrote
> On Sun, May 20, 2012 at 7:26 PM, Micha?? G??rny <mgorny [at] gentoo> wrote:
> > - changing ownership and permissions of all the files.
>
> As a side note: why is /usr/games owned by uid "games"? Does
> games_pkg_setup() in games.eclass do that? What's the point of user
> "games" (as opposed to group with same name)?

I don't know the current situation, but I recall that in the past,
some games pounded away directly on the VGA hardware for speed, or
called libraries that did so. This, of course might be dangerous to
allow regular-user programs to do.

--
Walter Dnes <waltdnes [at] waltdnes>


ssuominen at gentoo

May 21, 2012, 12:26 AM

Post #9 of 13 (586 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On 05/21/2012 10:17 AM, Walter Dnes wrote:
> On Sun, May 20, 2012 at 08:16:44PM +0300, Maxim Kammerer wrote
>> On Sun, May 20, 2012 at 7:26 PM, Micha?? G??rny<mgorny [at] gentoo> wrote:
>>> - changing ownership and permissions of all the files.
>>
>> As a side note: why is /usr/games owned by uid "games"? Does
>> games_pkg_setup() in games.eclass do that? What's the point of user
>> "games" (as opposed to group with same name)?
>
> I don't know the current situation, but I recall that in the past,
> some games pounded away directly on the VGA hardware for speed, or
> called libraries that did so. This, of course might be dangerous to
> allow regular-user programs to do.

I suppose you mean the "XFree86-DGA extension", USE="dga"?

$ cd $(portageq envvar PORTDIR)
$ grep -r IUSE.*dga */*/*.ebuild

http://qa-reports.gentoo.org/output/genrdeps/rindex/x11-libs/libXxf86dga

But I fail to see how that is relavent with this thread at all, using
the extension is controlled by the xorg-server (Xorg) which is suid root
and unrelated to 'games' (despite being used by some).

- Samuli


mk at dee

May 21, 2012, 6:13 AM

Post #10 of 13 (588 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Mon, May 21, 2012 at 10:17 AM, Walter Dnes <waltdnes [at] waltdnes> wrote:
> I don't know the current situation, but I recall that in the past,
> some games pounded away directly on the VGA hardware for speed, or
> called libraries that did so.

I think that the main sentiment in this thread is that, while
/usr/games have found some uses in Gentoo because it's there, it is
pure legacy. However, /usr/games and associated directories *are* part
of the FHS [1], and are older than X [2].

[1] http://www.pathname.com/fhs/pub/fhs-2.3.html
[2] http://unix-tree.huihoo.org/V7/

--
Maxim Kammerer
Libert Linux (discussion / support: http://dee.su/liberte-contribute)


waltdnes at waltdnes

May 21, 2012, 3:47 PM

Post #11 of 13 (587 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On Mon, May 21, 2012 at 10:26:14AM +0300, Samuli Suominen wrote

> I suppose you mean the "XFree86-DGA extension", USE="dga"?
>
> $ cd $(portageq envvar PORTDIR)
> $ grep -r IUSE.*dga */*/*.ebuild
>
> http://qa-reports.gentoo.org/output/genrdeps/rindex/x11-libs/libXxf86dga
>
> But I fail to see how that is relavent with this thread at all, using
> the extension is controlled by the xorg-server (Xorg) which is suid root
> and unrelated to 'games' (despite being used by some).

It was more along the lines of svgalib. See...
http://linux.die.net/man/7/svgalib Is that even in the tree anymore?
If not, that's one less reason to keep games special.

--
Walter Dnes <waltdnes [at] waltdnes>


mgorny at gentoo

May 22, 2012, 7:40 AM

Post #12 of 13 (586 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

I've opened a bug for this:

https://bugs.gentoo.org/show_bug.cgi?id=417101

--
Best regards,
Michał Górny
Attachments: signature.asc (0.31 KB)


kentfredric at gmail

May 24, 2012, 5:53 AM

Post #13 of 13 (570 views)
Permalink
Re: Do we need games group and all that game prefixes? [In reply to]

On 21 May 2012 04:26, Michał Górny <mgorny [at] gentoo> wrote:
> Hello,
>
> In today's MythBusters™: do we actually need the whole ugly-awful
> mangling games.eclass does for games? By that I mean:
> - installing games in random pre-/postfixes rather than standard FHS-y
>  locations,
> - changing ownership and permissions of all the files.
>
> Do we really need all of this poor man's 'you shall not play our
> games'? I don't think we're using anything like /usr/office & office
> group, or /usr/random-programs-i-dont-like.
>
> Random obscurity only makes things harder. And proves no point unless
> we're going to ensure that all web browsers, ssh clients and other
> applications in danger of being used to play games. And while we're at
> it, why don't we just take the computer away and work on paper sheets?
> Oh wait, someone could play tic-tac-toe on it...
>
> So, my proposition is: finally drop that. Install games in regular
> prefixes, like all other apps. Don't pollute systems with unnecessary
> security perimeters which don't provide any real benefit.
>
> Any comments?
>

It wouldn't be so bad if it was done once, in one module, perhaps
"games-env" or similar and all games depended on that, instead of the
current scenario, where each and every games package does magic to set
up the right env bits. ( including creating profiles/groups if they
don't already exist, and stuffing paths in $PATH for all users even if
they're not in the games group, which causes bugs with git ... )

https://bugs.gentoo.org/show_bug.cgi?id=408615




--
Kent

perl -e  "print substr( \"edrgmaM  SPA NOcomil.ic\\@tfrken\", \$_ * 3,
3 ) for ( 9,8,0,7,1,6,5,4,3,2 );"

http://kent-fredric.fox.geek.nz

Gentoo dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.