# Steam security on FreeBSD



## PaddyMac (Apr 9, 2021)

It is somewhat inconvenient to have to set up a dedicated user for Steam and then have to switch between users for gaming on Steam with one account and for other activities on another account. The documentation recommends installing Steam on a non-wheel user account. If you try to run steam-install for a user in the wheel group, you get the following message:

Please, consider setting up a dedicated OS user account for Steam.
Otherwise each and every Steam game will have unrestricted access to your files.
If you really couldn't care less, you can suppress this message with
--allow-stealing-my-passwords,-browser-history-and-ssh-keys flag.

So I'm wondering. Is Steam a security risk on Linux also? Is there something particular about the way Steam works on FreeBSD that makes it a security risk (moreso than on Windows or Linux)? Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source? And would there be any drawbacks to removing the wheel group from my main user and adding my main user account to the sudoers file so that I can still do actions as root when necessary and safely use Steam with my main user? Or does this not address the security concerns? I assumed at first that the concern was about Steam or games somehow gaining root privileges because of being in the wheel group. Is this the concern? Or is it only about the possibility of access to files, browser history, ssh keys, or other sensitive data in the home directory? But also, why is Steam singled out for this treatment? There is other closed-source software in FreeBSD ports that doesn't include dire warnings like this.


----------



## shkhln (Apr 9, 2021)

PaddyMac said:


> So I'm wondering. Is Steam a security risk on Linux also?


Don't be silly. Of course it is.



PaddyMac said:


> Is there something particular about the way Steam works on FreeBSD that makes it a security risk (moreso than on Windows or Linux)?


Nope.



PaddyMac said:


> And would there be any drawbacks to removing the wheel group from my main user and adding my main user account to the sudoers file so that I can still do actions as root when necessary and safely use Steam with my main user? Or does this not address the security concerns?


Did you _read_ the message?



PaddyMac said:


> Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source?





PaddyMac said:


> But also, why is Steam singled out for this treatment? There is other closed-source software in FreeBSD ports that doesn't include dire warnings like this.


Other closed-source software (in our ports) doesn't act as a package manager for countless _other_ closed-source software. The lack of source code itself is not a problem, diffusion of trust is. I don't expect Valve to install malware, however there is nothing preventing random Joe the Indie Developer or Acme Entertainment corporation from doing so. Moreover, there is a nonzero possibility otherwise trustworthy game developers themselves can be hacked with malicious purposes.


----------



## rootbert (Apr 9, 2021)

PaddyMac said:


> It is somewhat inconvenient to have to set up a dedicated user for Steam and then have to switch between users for gaming on Steam with one account and for other activities on another account. The documentation recommends installing Steam on a non-wheel user account.


Security and convenience is always a tradeoff. If you care about security, use a dedicated user. If you care more about security, use a dedicated operating system to boot for gaming that has no access to your valuable encrypted data.



PaddyMac said:


> Or is this mainly a bit of caution/paranoia simply because we're dealing with closed-source binaries instead of open source?


Dealing with closed-source binaries means you use a blackbox. Using a blackbox is always a risk - every professional working on the topic security will tell you that. (if someone is trying to tell you otherwise she is a salesperson)


----------



## shkhln (Apr 9, 2021)

Strictly speaking, a third party repo with binary packages of open-source software would be as much of a security concern as Steam is. Perhaps a bit easier to audit.


----------



## Deleted member 30996 (Apr 9, 2021)

rootbert said:


> Security and convenience is always a tradeoff. If you care about security, use a dedicated user. If you care more about security, use a dedicated operating system to boot for gaming that has no access to your valuable encrypted data.


When I bought a videogame and Steam came bundled with it that qualified as malware for me.


----------



## tingo (Apr 9, 2021)

If you care, use a dedicated machine for Steam.


----------



## Beastie7 (Apr 10, 2021)

Someone complain more to the committers about bhyve GPU passthrough. I smell opportunity in the air.


----------



## rootbert (Apr 15, 2021)

tralala ... https://www.vice.com/en/article/dyv...hackers-to-take-over-a-pc-with-a-steam-invite


----------



## kpedersen (Apr 16, 2021)

Game developers are also a little bit incompetent when it comes to security. Sure they might be whizzes when it comes to linear algebra but they can also be completely impractical when it comes to "correct" solutions. (Possibly making Windows even more attractive to them).


----------



## SteamBSD (Apr 17, 2021)

Your problem is *solved *in SteamBSD (just use https://pypi.org/project/steam-acolyte/ to swich accaunt [gui frontend])





--- SteamBSD © is FREE operating system.
YouTube: https://www.youtube.com/channel/UC8wwRY8yGWiJ-bIQlK0wvUA
Site (download ISO/IMG): https://lpros.blogspot.com
Github (internet installer): https://github.com/steambsd/os
Email: steambsd@gmail.com


----------

