Setgid

From NetHackWiki
Jump to navigation Jump to search

NetHack needs to be able to write files into a directory called the playground. This is necessary to save games, to delete saved games when loading them, to save persistent levels during gameplay, to log games, and to add to the list of high scores. However, on multiuser Unix systems, users should not have write permision to the playground except when they play NetHack. Why let users cheat, or worse, corrupt the saves of other users?

The solution is to give write access for the playground not to the users, but to a special Unix group such as games. Then chown the executable to user root, group games and set the setgid bit. When the game starts, the system will set the effective group id to games and NetHack will have the privileges necessary to write to the playground.

This sort of arrangement dates back to Hack, which needed this setup for the same reasons as NetHack does. Here is Hack 1.0.3 upon Kernigh's OpenBSD system:

$ ls -l /usr/games/hack
-r-xr-sr-x  1 root  games  250568 Mar  1  2006 /usr/games/hack
$ ls -ld /var/games/hackdir
drwxrwxr-x  3 root  games  512 Jul 18 15:50 /var/games/hackdir

A user has suggested improving this page or section as follows:

"Perhaps someone should edit the page and provide this info for their NetHack installation. Note that the nethack command is a shell script and that the setgid executable might be in the playground somewhere."

The "s" in "-r-xr-sr-x" indicates that setgid is set. The group of the setgid executable (here /usr/games/hack) and that of the playground (here /var/games/hackdir) must match.