From: nunojsilva@ist.utl.pt (Nuno J. Silva)
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: gentoo netheck
Date: Wed, 02 Jan 2013 00:28:36 +0200 [thread overview]
Message-ID: <877gnw5yi3.fsf@ist.utl.pt> (raw)
In-Reply-To: 20130101104432.5a742b26@khumba.net
On 2013-01-01, Bryan Gardiner wrote:
> On Wed, 2 Jan 2013 02:01:52 +0800
> Analuin Abyssbeholder <cntqrxj@gmail.com> wrote:
>
>> Today I wanted to install nethack and found it is masked:
>>
>> The following mask changes are necessary to proceed:
>> #required by nethack (argument)
>> # /usr/portage/profiles/package.mask:
>> # Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
>> # masked pending unresolved security issues #125902
>> =games-roguelike/nethack-3.4.3-r1
>>
>> Then I googled and view
>> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.
Well, you could have just gone to bugs.gentoo.org and searched for
125902 :-)
>> It turned out the bug has been existed for more than six years and is
>> related to gentoo's group game policy. So can I just manually install
>> nethack as a common user ?
>
> If you're the only user of your computer, you could also just unmask
> the version in Portage. The bug is that any user in the games group
> can edit all save files, so if you want to hack your own saves, go
> ahead :). Or if you trust all games users.
The main problem is not the cheating, but that nethack does not employ
any kind of checks on the scores file when reading it, this effectively
enables an attack vector where anyone with access to the scores file can
exploit vulnerabilities in nethack simply by writing a specially-crafted
score file.
Nethack just relies on being setgid to a group and installing the scores
file as writeable by that group. Unfortunately, that happens to be the
very same "games" group Gentoo uses to group users who are allowed to
play games, therefore rendering nethack's protection useless.
>
> Doesn't look like there's any newer version of NetHack out, either.
>
> Cheers,
> Bryan
>
>
--
Nuno Silva (aka njsg)
http://njsg.sdf-eu.org/
next prev parent reply other threads:[~2013-01-01 22:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <50E32270.8000500@gmail.com>
2013-01-01 18:01 ` [gentoo-user] gentoo netheck Analuin Abyssbeholder
2013-01-01 18:12 ` Analuin Abyssbeholder
2013-01-01 18:44 ` Bryan Gardiner
2013-01-01 22:28 ` Nuno J. Silva [this message]
2013-01-02 1:21 ` [gentoo-user] " Philip Webb
2013-01-02 14:30 ` Nuno J. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877gnw5yi3.fsf@ist.utl.pt \
--to=nunojsilva@ist.utl.pt \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox