Steam security on FreeBSD

[PaddyMac]

It is somewhat inconvenient to have to set up a dedicated user for Steam and then have to switch between users for gaming on Steam with one account and for other activities on another account. The documentation recommends installing Steam on a non-wheel user account. If you try to run steam-install for a user in the wheel group, you get the following message:

Please, consider setting up a dedicated OS user account for Steam.
Otherwise each and every Steam game will have unrestricted access to your files.
If you really couldn't care less, you can suppress this message with
--allow-stealing-my-passwords,-browser-history-and-ssh-keys flag.

So I'm wondering. Is Steam a security risk on Linux also? Is there something particular about the way Steam works on FreeBSD that makes it a security risk (moreso than on Windows or Linux)? Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source? And would there be any drawbacks to removing the wheel group from my main user and adding my main user account to the sudoers file so that I can still do actions as root when necessary and safely use Steam with my main user? Or does this not address the security concerns? I assumed at first that the concern was about Steam or games somehow gaining root privileges because of being in the wheel group. Is this the concern? Or is it only about the possibility of access to files, browser history, ssh keys, or other sensitive data in the home directory? But also, why is Steam singled out for this treatment? There is other closed-source software in FreeBSD ports that doesn't include dire warnings like this.

 

[shkhln]

So I'm wondering. Is Steam a security risk on Linux also?

Don't be silly. Of course it is.

Is there something particular about the way Steam works on FreeBSD that makes it a security risk (moreso than on Windows or Linux)?

Nope.

And would there be any drawbacks to removing the wheel group from my main user and adding my main user account to the sudoers file so that I can still do actions as root when necessary and safely use Steam with my main user? Or does this not address the security concerns?

Did you read the message?

Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source?

But also, why is Steam singled out for this treatment? There is other closed-source software in FreeBSD ports that doesn't include dire warnings like this.

Other closed-source software (in our ports) doesn't act as a package manager for countless other closed-source software. The lack of source code itself is not a problem, diffusion of trust is. I don't expect Valve to install malware, however there is nothing preventing random Joe the Indie Developer or Acme Entertainment corporation from doing so. Moreover, there is a nonzero possibility otherwise trustworthy game developers themselves can be hacked with malicious purposes.

 

[rootbert]

It is somewhat inconvenient to have to set up a dedicated user for Steam and then have to switch between users for gaming on Steam with one account and for other activities on another account. The documentation recommends installing Steam on a non-wheel user account.

Security and convenience is always a tradeoff. If you care about security, use a dedicated user. If you care more about security, use a dedicated operating system to boot for gaming that has no access to your valuable encrypted data.

Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source?

Dealing with closed-source binaries means you use a blackbox. Using a blackbox is always a risk - every professional working on the topic security will tell you that. (if someone is trying to tell you otherwise she is a salesperson)

 

[shkhln]

Strictly speaking, a third party repo with binary packages of open-source software would be as much of a security concern as Steam is. Perhaps a bit easier to audit.

 

[Deleted member 30996]

Security and convenience is always a tradeoff. If you care about security, use a dedicated user. If you care more about security, use a dedicated operating system to boot for gaming that has no access to your valuable encrypted data.

When I bought a videogame and Steam came bundled with it that qualified as malware for me.

 

[tingo]

If you care, use a dedicated machine for Steam.

 

[Beastie7]

Someone complain more to the committers about bhyve GPU passthrough. I smell opportunity in the air.

 

[rootbert]

tralala ... https://www.vice.com/en/article/dyv...hackers-to-take-over-a-pc-with-a-steam-invite

 

[kpedersen]

Game developers are also a little bit incompetent when it comes to security. Sure they might be whizzes when it comes to linear algebra but they can also be completely impractical when it comes to "correct" solutions. (Possibly making Windows even more attractive to them).

 

[SteamBSD]

Your problem is solved in SteamBSD (just use https://pypi.org/project/steam-acolyte/ to swich accaunt [gui frontend])

--- SteamBSD © is FREE operating system.
YouTube: https://www.youtube.com/channel/UC8wwRY8yGWiJ-bIQlK0wvUA
Site (download ISO/IMG): https://lpros.blogspot.com
Github (internet installer): https://github.com/steambsd/os
Email: steambsd@gmail.com