| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 01/08/2015 02:23 AM, Daniel Campbell wrote: |
| 5 |
> On 01/07/2015 04:19 PM, Jonathan Callen wrote: |
| 6 |
>> On 01/07/2015 12:15 PM, Matt Turner wrote: |
| 7 |
>>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs |
| 8 |
>>> <williamh@g.o> wrote: |
| 9 |
>>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote: |
| 10 |
>>>>> 150106 William Hubbs wrote: This one is perfectly safe on a |
| 11 |
>>>>> single-user system : please leave it there. |
| 12 |
>>>> |
| 13 |
>>>> I'm not opposed to it staying in the tree under one of these |
| 14 |
>>>> conditions: |
| 15 |
>>>> |
| 16 |
>>>> 1) fix it and remove the mask |
| 17 |
>>>> |
| 18 |
>>>> or |
| 19 |
>>>> |
| 20 |
>>>> 2) remove the mask and add ewarns to the ebuild |
| 21 |
> |
| 22 |
>>> Remove the mask that people have to see and actively disable in |
| 23 |
>>> order to install the software and replace it with ewarn |
| 24 |
>>> messages that they likely won't read? |
| 25 |
> |
| 26 |
>>> I don't see the problem with versions with security |
| 27 |
>>> vulnerabilities masked in the tree. nethack in particular has |
| 28 |
>>> been masked in the tree since 2006, so we have some |
| 29 |
>>> precedence. |
| 30 |
> |
| 31 |
> |
| 32 |
> |
| 33 |
>> The only reason there is a security issue with nethack (and other |
| 34 |
>> games like it) on Gentoo, and only on Gentoo, is that the games |
| 35 |
>> team policy requires that all games have permissions 0750, with |
| 36 |
>> group "games", and all users that should be allowed to run |
| 37 |
>> games be in the "games" group. Nethack expects that it have |
| 38 |
>> permissions 2755 (or 2711), with group "games" and that *no* |
| 39 |
>> users are members of that group, so it can securely save files |
| 40 |
>> that are accessible to all users during gameplay ("bones" files) |
| 41 |
>> and ensure that the user cannot access/change their current save |
| 42 |
>> file. These two expectations are incompatible with each other, |
| 43 |
>> and end up creating a security issue that upstream would never |
| 44 |
>> expect (as no users can be in the "games" group traditionally). |
| 45 |
> |
| 46 |
> |
| 47 |
> |
| 48 |
> Is Nethack's group expectation hard-coded? If not, then what's |
| 49 |
> stopping nethack from using another, self-made group (like |
| 50 |
> 'nethack') to arbitrate the bones files? |
| 51 |
> |
| 52 |
> If it *is* hard-coded, then can we produce a (hopefully simple) |
| 53 |
> patch? |
| 54 |
> |
| 55 |
> |
| 56 |
|
| 57 |
The problem was that you could not have the game setgid to "nethack" |
| 58 |
*and* only executable by people in group "games" at the same time, as |
| 59 |
they both require setting the group of the executable in order to |
| 60 |
enforce the policy, and a file can only have one group (not counting |
| 61 |
ACLs, which are not always supported). |
| 62 |
|
| 63 |
As it is no longer required to follow the games team policy, the issue |
| 64 |
can now be fixed by *not* using the "games" group for nethack. |
| 65 |
|
| 66 |
- -- |
| 67 |
Jonathan Callen |
| 68 |
-----BEGIN PGP SIGNATURE----- |
| 69 |
Version: GnuPG v2 |
| 70 |
|
| 71 |
iQIcBAEBCgAGBQJUrzrwAAoJELHSF2kinlg4IQsP/3gdF1OxDh0tOdqxd45tL4G+ |
| 72 |
1avsJ2x1+mVWM5hi2kYx3ZG3SIAOPqJdqVrFf+WozzAjDVC7Sd6WPs//E9i630HW |
| 73 |
72O8zvO1s4CpqBrsu5Yb8BuhUHzcc4HO/3hE5rex7uhsOpPVqr96LdKtPJ74qFOH |
| 74 |
T8aL/qk46HPCEc3Dg+lKVYDnhNKfThmjq3bx2NKFFgN3VaPOEc4IUs/NCkj/PzIt |
| 75 |
UlgqwpD343qC+21xyboXVhIKeIyaaDZC2nwf/F92hhI2Xdcc9aw99O6S3mAuw1Xh |
| 76 |
YDS3XN/4EvSMgSnCMC++S0LAT7nVkbghdhUh3R92UwJQoQcDzxOR6dEBrU7zjy++ |
| 77 |
L8c3A8gM8SfmtpwjqH2JwWF9AZ29SwVM1VtBus9EiREV0mthFC/Owz7Xfalj6VsS |
| 78 |
u24hZn6NCRZ97FkOeX+GhAzAKLJHftLZW/ElgiFNwKFGA8qIjc4KIcc7Wg6opnDU |
| 79 |
y4zV1f3YnUgS/4eMZxW4gcRoDTMSiPo1K5I2lSYC5Q9pId4Y3XvrjBkh5i6LA7Cc |
| 80 |
2Pb3X4ZmWXvzm9p20kk6/SNp3qj6S/DnflWwWYmVnw4Le+Fa3+wlyS49yhL2/Aoa |
| 81 |
nLtfHlgSZkKY6rLpa9swNKiVmYEu1PxdYDB2nlGfTn8nUiwyszRGpiai0ABwEWnR |
| 82 |
NL9n1n5H6PTVOhElIKF2 |
| 83 |
=Mc9p |
| 84 |
-----END PGP SIGNATURE----- |
Archives