Security concerns with STEAM

[lazarus]

Having had security issues with STEAM under Windows, I deleted it and for a long time went without. Now that I have my Linux Mint system up and running satisfactorily, I thought I'd try it again, given that Linux has much better permissions control.

So, after rummaging around for what seemed like forever to find my STEAM details, I used firefox and checked my account. Naturally, I had to download the STEAM software and then the few games I had in my library.

Now, keep in mind that this was all done through the Firefox browser using a standard user's account.

After installing everything and taking it for a test run, I did a whereis steam as a matter of habit and was surprised to see files in /usr/bin. On checking, there are indeed steam & steamdeps executables in there. Both owned by root with rwxr-xr-x permissions.

Now, given that at no time was I asked for root authentication how did they get there with those permissions? I could understand if they were installed in my /home... but they're not.

This concerns me deeply. Even the idea that a user can install something in another user's account simply by using a browser is disturbing.

Or am I misunderstanding some basic concept and over-reacting?

[catweazel]

Or am I misunderstanding some basic concept and over-reacting?

Possibly. If you did the install at the command line using sudo, it's highly likely that the previous use of your password was cached from a previous use of sudo. In this case, sudo doesn't ask for permission. There is a timeout period but I can't recall if it's one minute or what.

[smurphos]

Run dpkg -S /path/to/file for the files in question. That will tell you if they are part of a known apt package. You can then use the apt logs to track down when it was installed and what triggered the installation.

[lazarus]

Code: Select all

lazarus@Beelzebub ~ $ dpkg -S /usr/bin/steam
steam-launcher: /usr/bin/steam

:sigh:

It wasn't installed via apt, the logs are refreshingly clean of steam. However, dpkg.log does show:
2018-08-16 15:06:05 install steam-launcher:all <none> 1.0.0.55
...so I guess that I must have authenticated it.

Which is odd, given my previous concerns and my intent to ensure it installed 'user only.'

"Dave, my mind is going. I can feel it. I can feel it."

[smurphos]

You can look in /var/logs/apt/history.log for the corresponding entry for a bit more info on the context that installation happened.

E.g this was an update manager update to an existing package.

Code: Select all

Start-Date: 2018-08-19  19:50:15
Commandline: /usr/sbin/synaptic --hide-main-window --non-interactive --parent-window-id 92274708 -o Synaptic::closeZvt=true --set-selections-file /tmp/tmpxi6xl9wu
Requested-By: steve (1000)
Upgrade: adapta-gtk-theme:amd64 (3.94.0.96-0ubuntu1~bionic1, 3.94.0.106-0ubuntu1~bionic1)
End-Date: 2018-08-19  19:50:23

This was via apt from the terminal...

Code: Select all

Start-Date: 2018-08-19  11:30:03
Commandline: /usr/bin/apt install beep
Requested-By: steve (1000)
Install: beep:amd64 (1.3-4+deb9u1)
End-Date: 2018-08-19  11:30:13

This is an installation from within synaptic

Code: Select all

Start-Date: 2018-08-18  08:04:30
Commandline: /usr/sbin/synaptic
Requested-By: steve (1000)
Install: stacer:amd64 (1.0.9-1~bionic)
End-Date: 2018-08-18  08:04:35

[gm10]

Code: Select all

lazarus@Beelzebub ~ $ dpkg -S /usr/bin/steam
steam-launcher: /usr/bin/steam

If you install Steam from the official repositories it has neither that file nor even that package. I hope what you installed came at least from Valve directly.

Or am I misunderstanding some basic concept and over-reacting?

Depends on what you're worried about. The fact that the file is root-owned doesn't mean it runs with root permissions.

[smurphos]

it was probably this deb which is presented to linux users on the steam site who hit download steam links...

https://steamcdn-a.akamaihd.net/client/ ... /steam.deb - which actually downloads as steam-latest.deb

[lazarus]

Yes. Yes it was.

I hadn't realised that it was available through the repositories... in all honesty I didn't even think to look.