[aur-general] Software packaging - Security question

Thu Jan 10 05:36:25 EST 2013

Hi

I am trying to create a package for the subvein[1] game.

Installation instructions[2] of the game tell to simply uncompress the
tar.gz archive in a folder and run the "Subvein" program.

No problem with that. But then when running the game, it tries to store
information in it's "data" folder (logs, configuration, user
profiles...). We have a permission problem.

To workaround this problem, I:
- Create a group named "subvein";
- set the setgid bit for the game "data" folder and all it's sub-folders;
- set the game "data" folder and all it's content group writable;
- set the group of the game "data" folder to the "subvein" group.
- Created a wrapper bash script that changes the umask to 002 and then
launches the game.

This way, all the contents created by the game will belong to the
"subvein" group and will be group writable, so that anyone can use the game.

Is this a valid way of doing it? Are there any security concerns I need
to take into account?

The game has also a "server" part. I still didn't started to handle this
in the package, but was thinking to do the following:

- Create a user names subvein that belongs only to the subvein group.
- Create a systemd .service file that runs the server program as the
subvein user.

Does this seems OK as approach?

Thank you for your help.

P.S. You can find my "draft" of the PKGBUILD, the install script and the
bash wrapper attached.

[1] http://subvein.net/
[2] http://subvein.net/download.php
-- 
Nuno Araujo <nuno.araujo at russo79.com>
-------------- next part --------------
#! /bin/sh

cd /opt/subvein
umask 002
./Subvein

-------------- next part --------------
post_install() {
  if [ ! `grep subvein /etc/group` ]; then
    groupadd subvein &> /dev/null;
  fi

  chgrp -R subvein /opt/subvein/data
  echo "  >> Add yourself to the subvein group to run the game."
}

post_upgrade() {
  post_install 
}

pre_remove() {
  groupdel subvein &> /dev/null
}

-------------- next part --------------
# Maintainer: Nuno Araujo <nuno.araujo at russo79.com>
pkgname=subvein
pkgver=0.73
pkgrel=1
pkgdesc="Free multiplayer action game"
arch=('i686' 'x86_64')
url="http://subvein.net"
license=('GPL')
depends=()
if [[ "$CARCH" == "x86_64" ]]; then
  depends+=('lib32-glu' 'lib32-libxrandr' 'lib32-libgl' 'lib32-openal' 'lib32-freealut')
else
  depends+=('glu' 'libxrandr' 'libgl' 'openal' 'freealut')
fi
optdepends=()
install=subvein.install
source=("http://subvein.net/downloads/Subvein0730.tar.gz"
        "subvein")
md5sums=('76845fa4502363c02362954a6ae6c6c6'
         'f0741d0f778acb0ef2422c51b2a0e587')

package() {
  mkdir -p $pkgdir/opt/subvein
  cp -r $srcdir/Subvein/. $pkgdir/opt/subvein
  rm -rf $pkgdir/opt/subvein/lib
  chmod -R g+w $pkgdir/opt/subvein
  find $pkgdir/opt/subvein/ -type d -exec chmod g+s {} \;

  install -m 755 -D $srcdir/subvein $pkgdir/usr/bin/subvein
}

# vim:set ts=2 sw=2 et:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20130110/f3211959/attachment-0001.asc>