From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 33A3C138238 for ; Wed, 2 Jan 2013 01:23:23 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1B70CE0517; Wed, 2 Jan 2013 01:23:09 +0000 (UTC) Received: from mail-1.ca.inter.net (mail-1.ca.inter.net [208.85.220.69]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6E21821C001 for ; Wed, 2 Jan 2013 01:21:56 +0000 (UTC) Received: from localhost (offload-3.ca.inter.net [208.85.220.70]) by mail-1.ca.inter.net (Postfix) with ESMTP id E06972EA1B2 for ; Tue, 1 Jan 2013 20:21:55 -0500 (EST) Received: from mail-1.ca.inter.net ([208.85.220.69]) by localhost (offload-3.ca.inter.net [208.85.220.70]) (amavisd-new, port 10024) with ESMTP id CEq7-H8Hz+Mz for ; Tue, 1 Jan 2013 20:21:55 -0500 (EST) Received: from ca.inter.net (unknown [216.99.62.86]) by mail-1.ca.inter.net (Postfix) with SMTP id 88E322EA1DE for ; Tue, 1 Jan 2013 20:21:54 -0500 (EST) Received: by ca.inter.net (sSMTP sendmail emulation); Tue, 01 Jan 2013 20:21:54 -0500 Date: Tue, 1 Jan 2013 20:21:54 -0500 From: Philip Webb To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: gentoo netheck Message-ID: <20130102012154.GA1084@ca.inter.net> Mail-Followup-To: gentoo-user@lists.gentoo.org References: <50E32270.8000500@gmail.com> <20130101104432.5a742b26@khumba.net> <877gnw5yi3.fsf@ist.utl.pt> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <877gnw5yi3.fsf@ist.utl.pt> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 74a82dab-9d1f-451f-9cc0-c14cff304da4 X-Archives-Hash: c26eec77d606ade979df2cffd2e0baf7 130102 Nuno J. Silva wrote: > On 2013-01-01, Bryan Gardiner wrote: >> Today I wanted to install nethack and found it is masked: > If you're the only user of your computer, you could also just unmask > the version in Portage. The bug is that any user in the games group > can edit all save files, so if you want to hack your own saves, go ahead. > The main problem is not the cheating, but that nethack does not employ > any kind of checks on the scores file when reading it, this effectively > enables an attack vector where anyone with access to the scores file can > exploit vulnerabilities in nethack simply by writing a specially-crafted > score file. > Nethack just relies on being setgid to a group and installing the scores > file as writeable by that group. Unfortunately, that happens to be the > very same "games" group Gentoo uses to group users who are allowed to > play games, therefore rendering nethack's protection useless. Does the insecurity extend beyond Nethack itself ? -- if not, hard-masking it seems a bit draconian: it sb quite safe on a single-user system. -- ========================,,============================================ SUPPORT ___________//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT `-O----------O---' purslowatchassdotutorontodotca