[gentoo-user] gentoo netheck

[gentoo-user] gentoo netheck

[Analuin Abyssbeholder]

[-- Attachment #1: Type: text/plain, Size: 586 bytes --]

 Today I wanted to install nethack and found it is masked:

 The following mask changes are necessary to proceed:
#required by nethack (argument)
# /usr/portage/profiles/package.mask:
# Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #125902
=games-roguelike/nethack-3.4.3-r1

Then I googled and view  https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.

It turned out the bug has been existed for more than six years and is
related to gentoo's group game policy. So can I just manually install
nethack as a common user ?

[-- Attachment #2: Type: text/html, Size: 967 bytes --]

[gentoo-user] gentoo netheck

[Analuin Abyssbeholder]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

 I'm sorry for the last email. My gmail made a mistake by sending an
incomplete draft.
Today I wanted to install nethack and found it is masked:

 The following mask changes are necessary to proceed:
#required by nethack (argument)
# /usr/portage/profiles/package.mask:
# Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #125902
=games-roguelike/nethack-3.4.3-r1

Then I googled and view  https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.
 It turned out the bug has been existed for more than six years and is
related to gentoo's group game policy. So can I just manually install
nethack as a common user ?

[-- Attachment #2: Type: text/html, Size: 1053 bytes --]

Re: [gentoo-user] gentoo netheck

[Bryan Gardiner]

On Wed, 2 Jan 2013 02:01:52 +0800
Analuin Abyssbeholder <cntqrxj@gmail.com> wrote:

>  Today I wanted to install nethack and found it is masked:
> 
>  The following mask changes are necessary to proceed:
> #required by nethack (argument)
> # /usr/portage/profiles/package.mask:
> # Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
> # masked pending unresolved security issues #125902
> =games-roguelike/nethack-3.4.3-r1
> 
> Then I googled and view
> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.
> 
> It turned out the bug has been existed for more than six years and is
> related to gentoo's group game policy. So can I just manually install
> nethack as a common user ?

If you're the only user of your computer, you could also just unmask
the version in Portage.  The bug is that any user in the games group
can edit all save files, so if you want to hack your own saves, go
ahead :).  Or if you trust all games users.

Doesn't look like there's any newer version of NetHack out, either.

Cheers,
Bryan

[gentoo-user] Re: gentoo netheck

[Nuno J. Silva]

On 2013-01-01, Bryan Gardiner wrote:

> On Wed, 2 Jan 2013 02:01:52 +0800
> Analuin Abyssbeholder <cntqrxj@gmail.com> wrote:
>
>>  Today I wanted to install nethack and found it is masked:
>> 
>>  The following mask changes are necessary to proceed:
>> #required by nethack (argument)
>> # /usr/portage/profiles/package.mask:
>> # Tavis Ormandy <taviso@gentoo.org> <taviso@gentoo.org> (21 Mar 2006)
>> # masked pending unresolved security issues #125902
>> =games-roguelike/nethack-3.4.3-r1
>> 
>> Then I googled and view
>> https://bugs.gentoo.org/show_bug.cgi?id=125902#c82.

Well, you could have just gone to bugs.gentoo.org and searched for
125902 :-)

>> It turned out the bug has been existed for more than six years and is
>> related to gentoo's group game policy. So can I just manually install
>> nethack as a common user ?
>
> If you're the only user of your computer, you could also just unmask
> the version in Portage.  The bug is that any user in the games group
> can edit all save files, so if you want to hack your own saves, go
> ahead :).  Or if you trust all games users.

The main problem is not the cheating, but that nethack does not employ
any kind of checks on the scores file when reading it, this effectively
enables an attack vector where anyone with access to the scores file can
exploit vulnerabilities in nethack simply by writing a specially-crafted
score file.

Nethack just relies on being setgid to a group and installing the scores
file as writeable by that group. Unfortunately, that happens to be the
very same "games" group Gentoo uses to group users who are allowed to
play games, therefore rendering nethack's protection useless.

>
> Doesn't look like there's any newer version of NetHack out, either.
>
> Cheers,
> Bryan
>
>

-- 
Nuno Silva (aka njsg)
http://njsg.sdf-eu.org/

Re: [gentoo-user] Re: gentoo netheck

[Philip Webb]

130102 Nuno J. Silva wrote:
> On 2013-01-01, Bryan Gardiner wrote:
>>  Today I wanted to install nethack and found it is masked:
> If you're the only user of your computer, you could also just unmask
> the version in Portage.  The bug is that any user in the games group
> can edit all save files, so if you want to hack your own saves, go ahead.
> The main problem is not the cheating, but that nethack does not employ
> any kind of checks on the scores file when reading it, this effectively
> enables an attack vector where anyone with access to the scores file can
> exploit vulnerabilities in nethack simply by writing a specially-crafted
> score file.
> Nethack just relies on being setgid to a group and installing the scores
> file as writeable by that group. Unfortunately, that happens to be the
> very same "games" group Gentoo uses to group users who are allowed to
> play games, therefore rendering nethack's protection useless.

Does the insecurity extend beyond Nethack itself ?
-- if not, hard-masking it seems a bit draconian:
it sb quite safe on a single-user system.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

[gentoo-user] Re: gentoo netheck

[Nuno J. Silva]

On 2013-01-02, Philip Webb wrote:

> 130102 Nuno J. Silva wrote:
>> On 2013-01-01, Bryan Gardiner wrote:
>>>  Today I wanted to install nethack and found it is masked:
>> If you're the only user of your computer, you could also just unmask
>> the version in Portage.  The bug is that any user in the games group
>> can edit all save files, so if you want to hack your own saves, go ahead.
>> The main problem is not the cheating, but that nethack does not employ
>> any kind of checks on the scores file when reading it, this effectively
>> enables an attack vector where anyone with access to the scores file can
>> exploit vulnerabilities in nethack simply by writing a specially-crafted
>> score file.
>> Nethack just relies on being setgid to a group and installing the scores
>> file as writeable by that group. Unfortunately, that happens to be the
>> very same "games" group Gentoo uses to group users who are allowed to
>> play games, therefore rendering nethack's protection useless.
>
> Does the insecurity extend beyond Nethack itself ?
> -- if not, hard-masking it seems a bit draconian:
> it sb quite safe on a single-user system.

It's an attack vector. If it is exploited, it extends to your whole
account, plus any system/service whose passwords/credentials are stored
in your files. 

Now if it's a single-user system, the attacker would need to already
have access to a user in the games group in your system, and the only
account in that group is likely yours, so I doubt there would be a big
issue.

-- 
Nuno Silva (aka njsg)
http://njsg.sdf-eu.org/