-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 01/07/2015 12:15 PM, Matt Turner wrote:
> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs <[email protected]>
> wrote:
>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>> 150106 William Hubbs wrote: This one is perfectly safe on a
>>> single-user system : please leave it there.
>>
>> I'm not opposed to it staying in the tree under one of these
>> conditions:
>>
>> 1) fix it and remove the mask
>>
>> or
>>
>> 2) remove the mask and add ewarns to the ebuild
>
> Remove the mask that people have to see and actively disable in
> order to install the software and replace it with ewarn messages
> that they likely won't read?
>
> I don't see the problem with versions with security
> vulnerabilities masked in the tree. nethack in particular has been
> masked in the tree since 2006, so we have some precedence.
>
>
The only reason there is a security issue with nethack (and other
games like it) on Gentoo, and only on Gentoo, is that the games team
policy requires that all games have permissions 0750, with group
"games", and all users that should be allowed to run games be in the
"games" group. Nethack expects that it have permissions 2755 (or
2711), with group "games" and that *no* users are members of that
group, so it can securely save files that are accessible to all users
during gameplay ("bones" files) and ensure that the user cannot
access/change their current save file. These two expectations are
incompatible with each other, and end up creating a security issue
that upstream would never expect (as no users can be in the "games"
group traditionally).
- --
Jonathan Callen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJUrc0kAAoJELHSF2kinlg4U48P/0832YIuICSAqjvPd2HOevs0
PISYT08qafzPevhppfe4YC4G1Z2hpoUaiLTiEozHDGfEkwoxMjIQQWEB1idco5Wo
gbYtUtX3X7BgAlBQxNMlb6jnc+xExAKqwB35SJF4374s3gw3GEWmED2eNJzgCdnM
pERhAsKXpc9GNFCY31QmscWFAu+Wk7l8HjEWjKbZ9491dHESDpzBp3HSPoxGtUMH
wsL9vVhfS/JPEbLTcoCWwyx2s/et/wuEcnEO7c0N2byfxm6e0MXPS8vs4ZiMCRsl
+nVKTkCH4uH5LTF7KQJ/Djiju4+dtydmByOJ/FrC3T+6E47X4n8m4fXWUa09jHsZ
VO6YOxJLSbitw0FVE2RubGKbDVbQE7vHRefGxgtv0ZnpkeFC/8hoOAmntFCkbkmy
WKtTPNPxCCOIMU6AE4G53HkeLJ9aOBZFl/el4OKYGTTuRX6o80f0GzRdsiFAqbqz
CbP+pSDFMeqicP0P2R2rt5VFfa61DHLWYTO93hcSfgsBJ3tTFAPE4rh/hFQtbz0Z
W4Mife7QLN6SVh5KjWlUSAv3b9CFubDMcj9cUL63RNdp5yKUef6XRJN2CEv3mhn4
PckC1yanE52NybvQxnW+xKp4G2qk5V/j0MZpBjUFqO6s1Tn6hw3kLs2VBqtO7wDJ
LQWCPkTSyRjSIsJUa4Vg
=Zqwb
-----END PGP SIGNATURE-----
