1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 01/07/2015 04:19 PM, Jonathan Callen wrote: |
5 |
> On 01/07/2015 12:15 PM, Matt Turner wrote: |
6 |
>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs |
7 |
>> <williamh@g.o> wrote: |
8 |
>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote: |
9 |
>>>> 150106 William Hubbs wrote: This one is perfectly safe on a |
10 |
>>>> single-user system : please leave it there. |
11 |
>>> |
12 |
>>> I'm not opposed to it staying in the tree under one of these |
13 |
>>> conditions: |
14 |
>>> |
15 |
>>> 1) fix it and remove the mask |
16 |
>>> |
17 |
>>> or |
18 |
>>> |
19 |
>>> 2) remove the mask and add ewarns to the ebuild |
20 |
> |
21 |
>> Remove the mask that people have to see and actively disable in |
22 |
>> order to install the software and replace it with ewarn messages |
23 |
>> that they likely won't read? |
24 |
> |
25 |
>> I don't see the problem with versions with security |
26 |
>> vulnerabilities masked in the tree. nethack in particular has |
27 |
>> been masked in the tree since 2006, so we have some precedence. |
28 |
> |
29 |
> |
30 |
> |
31 |
> The only reason there is a security issue with nethack (and other |
32 |
> games like it) on Gentoo, and only on Gentoo, is that the games |
33 |
> team policy requires that all games have permissions 0750, with |
34 |
> group "games", and all users that should be allowed to run games |
35 |
> be in the "games" group. Nethack expects that it have permissions |
36 |
> 2755 (or 2711), with group "games" and that *no* users are members |
37 |
> of that group, so it can securely save files that are accessible |
38 |
> to all users during gameplay ("bones" files) and ensure that the |
39 |
> user cannot access/change their current save file. These two |
40 |
> expectations are incompatible with each other, and end up creating |
41 |
> a security issue that upstream would never expect (as no users can |
42 |
> be in the "games" group traditionally). |
43 |
> |
44 |
> |
45 |
|
46 |
Is Nethack's group expectation hard-coded? If not, then what's |
47 |
stopping nethack from using another, self-made group (like 'nethack') |
48 |
to arbitrate the bones files? |
49 |
|
50 |
If it *is* hard-coded, then can we produce a (hopefully simple) patch? |
51 |
-----BEGIN PGP SIGNATURE----- |
52 |
Version: GnuPG v2 |
53 |
|
54 |
iQEcBAEBAgAGBQJUrjCEAAoJEJUrb08JgYgHlQYH/RmOzRLebkffwJ3efcR7sCw7 |
55 |
i/CU1vBoHdyW86Us3X/PwYl47GSPKaiLTMhTnPNOtQP4wqdkHTXrG4fvQfLKP7Lg |
56 |
RC8EkR0kgkdBSVqJIt70Gfxu0fV0o55rOf2bYcDC+RF1HLMWNTQ/e8SkcfDmUAum |
57 |
EMRJnqUq3dsiIWbr/WeR27XWxlFz1Oo/jjIoGWvO6JodkZnsHbFlCalycAI1xQv5 |
58 |
05BecTx0FDwC1xWrdt3+UaoyrvOrIqz5mxiGM6B+WgEMU8OyURFprljX8a21WuFV |
59 |
RcipixJvIKvxEmbI+cC0T9bapRfA1NBW+r6nVk1wsGiJwhJ2biF2HVS+ZwN9Y34= |
60 |
=lEkc |
61 |
-----END PGP SIGNATURE----- |