-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/07/2015 04:19 PM, Jonathan Callen wrote:
> On 01/07/2015 12:15 PM, Matt Turner wrote:
>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs
>> <willi...@gentoo.org> wrote:
>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>>> 150106 William Hubbs wrote: This one is perfectly safe on a
>>>> single-user system : please leave it there.
>>>
>>> I'm not opposed to it staying in the tree under one of these
>>> conditions:
>>>
>>> 1) fix it and remove the mask
>>>
>>> or
>>>
>>> 2) remove the mask and add ewarns to the ebuild
>
>> Remove the mask that people have to see and actively disable in
>> order to install the software and replace it with ewarn messages
>> that they likely won't read?
>
>> I don't see the problem with versions with security
>> vulnerabilities masked in the tree. nethack in particular has
>> been masked in the tree since 2006, so we have some precedence.
>
>
>
> The only reason there is a security issue with nethack (and other
> games like it) on Gentoo, and only on Gentoo, is that the games
> team policy requires that all games have permissions 0750, with
> group "games", and all users that should be allowed to run games
> be in the "games" group. Nethack expects that it have permissions
> 2755 (or 2711), with group "games" and that *no* users are members
> of that group, so it can securely save files that are accessible
> to all users during gameplay ("bones" files) and ensure that the
> user cannot access/change their current save file. These two
> expectations are incompatible with each other, and end up creating
> a security issue that upstream would never expect (as no users can
> be in the "games" group traditionally).
>
>
Is Nethack's group expectation hard-coded? If not, then what's
stopping nethack from using another, self-made group (like 'nethack')
to arbitrate the bones files?
If it *is* hard-coded, then can we produce a (hopefully simple) patch?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJUrjCEAAoJEJUrb08JgYgHlQYH/RmOzRLebkffwJ3efcR7sCw7
i/CU1vBoHdyW86Us3X/PwYl47GSPKaiLTMhTnPNOtQP4wqdkHTXrG4fvQfLKP7Lg
RC8EkR0kgkdBSVqJIt70Gfxu0fV0o55rOf2bYcDC+RF1HLMWNTQ/e8SkcfDmUAum
EMRJnqUq3dsiIWbr/WeR27XWxlFz1Oo/jjIoGWvO6JodkZnsHbFlCalycAI1xQv5
05BecTx0FDwC1xWrdt3+UaoyrvOrIqz5mxiGM6B+WgEMU8OyURFprljX8a21WuFV
RcipixJvIKvxEmbI+cC0T9bapRfA1NBW+r6nVk1wsGiJwhJ2biF2HVS+ZwN9Y34=
=lEkc
-----END PGP SIGNATURE-----
