130102 Nuno J. Silva wrote: > On 2013-01-01, Bryan Gardiner wrote: >> Today I wanted to install nethack and found it is masked: > If you're the only user of your computer, you could also just unmask > the version in Portage. The bug is that any user in the games group > can edit all save files, so if you want to hack your own saves, go ahead. > The main problem is not the cheating, but that nethack does not employ > any kind of checks on the scores file when reading it, this effectively > enables an attack vector where anyone with access to the scores file can > exploit vulnerabilities in nethack simply by writing a specially-crafted > score file. > Nethack just relies on being setgid to a group and installing the scores > file as writeable by that group. Unfortunately, that happens to be the > very same "games" group Gentoo uses to group users who are allowed to > play games, therefore rendering nethack's protection useless.
Does the insecurity extend beyond Nethack itself ? -- if not, hard-masking it seems a bit draconian: it sb quite safe on a single-user system. -- ========================,,============================================ SUPPORT ___________//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT `-O----------O---' purslowatchassdotutorontodotca