Security concerns with STEAM

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
lazarus
Level 3
Level 3
Posts: 132
Joined: Mon Jul 02, 2018 11:36 pm
Location: Oberon, OZ

Security concerns with STEAM

Post by lazarus » Mon Aug 20, 2018 1:38 am

Having had security issues with STEAM under Windows, I deleted it and for a long time went without. Now that I have my Linux Mint system up and running satisfactorily, I thought I'd try it again, given that Linux has much better permissions control.

So, after rummaging around for what seemed like forever to find my STEAM details, I used firefox and checked my account. Naturally, I had to download the STEAM software and then the few games I had in my library.

Now, keep in mind that this was all done through the Firefox browser using a standard user's account.

After installing everything and taking it for a test run, I did a whereis steam as a matter of habit and was surprised to see files in /usr/bin. On checking, there are indeed steam & steamdeps executables in there. Both owned by root with rwxr-xr-x permissions. :shock:

Now, given that at no time was I asked for root authentication how did they get there with those permissions? I could understand if they were installed in my /home... but they're not.

This concerns me deeply. Even the idea that a user can install something in another user's account simply by using a browser is disturbing.

Or am I misunderstanding some basic concept and over-reacting?
- Andy

I may be weird but I'm saving up to become eccentric.

User avatar
catweazel
Level 16
Level 16
Posts: 6934
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Security concerns with STEAM

Post by catweazel » Mon Aug 20, 2018 2:00 am

lazarus wrote:
Mon Aug 20, 2018 1:38 am
Or am I misunderstanding some basic concept and over-reacting?
Possibly. If you did the install at the command line using sudo, it's highly likely that the previous use of your password was cached from a previous use of sudo. In this case, sudo doesn't ask for permission. There is a timeout period but I can't recall if it's one minute or what.
Caution: Dancing Wu Li Master and Official curmudgeon-in-chief

User avatar
smurphos
Level 6
Level 6
Posts: 1389
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Security concerns with STEAM

Post by smurphos » Mon Aug 20, 2018 2:04 am

Run dpkg -S /path/to/file for the files in question. That will tell you if they are part of a known apt package. You can then use the apt logs to track down when it was installed and what triggered the installation.

lazarus
Level 3
Level 3
Posts: 132
Joined: Mon Jul 02, 2018 11:36 pm
Location: Oberon, OZ

Re: Security concerns with STEAM

Post by lazarus » Mon Aug 20, 2018 2:37 am

Code: Select all

lazarus@Beelzebub ~ $ dpkg -S /usr/bin/steam
steam-launcher: /usr/bin/steam
:sigh:

It wasn't installed via apt, the logs are refreshingly clean of steam. However, dpkg.log does show:
2018-08-16 15:06:05 install steam-launcher:all <none> 1.0.0.55
...so I guess that I must have authenticated it.

Which is odd, given my previous concerns and my intent to ensure it installed 'user only.'

"Dave, my mind is going. I can feel it. I can feel it."
- Andy

I may be weird but I'm saving up to become eccentric.

User avatar
smurphos
Level 6
Level 6
Posts: 1389
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Security concerns with STEAM

Post by smurphos » Mon Aug 20, 2018 2:49 am

You can look in /var/logs/apt/history.log for the corresponding entry for a bit more info on the context that installation happened.

E.g this was an update manager update to an existing package.

Code: Select all

Start-Date: 2018-08-19  19:50:15
Commandline: /usr/sbin/synaptic --hide-main-window --non-interactive --parent-window-id 92274708 -o Synaptic::closeZvt=true --set-selections-file /tmp/tmpxi6xl9wu
Requested-By: steve (1000)
Upgrade: adapta-gtk-theme:amd64 (3.94.0.96-0ubuntu1~bionic1, 3.94.0.106-0ubuntu1~bionic1)
End-Date: 2018-08-19  19:50:23
This was via apt from the terminal...

Code: Select all

Start-Date: 2018-08-19  11:30:03
Commandline: /usr/bin/apt install beep
Requested-By: steve (1000)
Install: beep:amd64 (1.3-4+deb9u1)
End-Date: 2018-08-19  11:30:13
This is an installation from within synaptic

Code: Select all

Start-Date: 2018-08-18  08:04:30
Commandline: /usr/sbin/synaptic
Requested-By: steve (1000)
Install: stacer:amd64 (1.0.9-1~bionic)
End-Date: 2018-08-18  08:04:35

gm10
Level 9
Level 9
Posts: 2597
Joined: Thu Jun 21, 2018 5:11 pm

Re: Security concerns with STEAM

Post by gm10 » Mon Aug 20, 2018 2:58 am

lazarus wrote:
Mon Aug 20, 2018 2:37 am

Code: Select all

lazarus@Beelzebub ~ $ dpkg -S /usr/bin/steam
steam-launcher: /usr/bin/steam
If you install Steam from the official repositories it has neither that file nor even that package. I hope what you installed came at least from Valve directly.
lazarus wrote:
Mon Aug 20, 2018 1:38 am
Or am I misunderstanding some basic concept and over-reacting?
Depends on what you're worried about. The fact that the file is root-owned doesn't mean it runs with root permissions.

User avatar
smurphos
Level 6
Level 6
Posts: 1389
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Security concerns with STEAM

Post by smurphos » Mon Aug 20, 2018 3:24 am

it was probably this deb which is presented to linux users on the steam site who hit download steam links...

https://steamcdn-a.akamaihd.net/client/ ... /steam.deb - which actually downloads as steam-latest.deb

lazarus
Level 3
Level 3
Posts: 132
Joined: Mon Jul 02, 2018 11:36 pm
Location: Oberon, OZ

Re: Security concerns with STEAM

Post by lazarus » Mon Aug 20, 2018 5:28 am

Yes. Yes it was.

I hadn't realised that it was available through the repositories... in all honesty I didn't even think to look.
- Andy

I may be weird but I'm saving up to become eccentric.

Post Reply

Return to “Software & Applications”