Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 139499 Details for
Bug 125902
<games-roguelike/nethack-3.4.3-r2: local privilege escalation and insecure savegame creation (CVE-2006-1390)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Revised, policy-agnostic version of ebuild patch
state-dir-permissions-fix-v2.patch (text/plain), 4.34 KB, created by
Andrew Church
on 2007-12-28 11:03:48 UTC
(
hide
)
Description:
Revised, policy-agnostic version of ebuild patch
Filename:
MIME Type:
Creator:
Andrew Church
Created:
2007-12-28 11:03:48 UTC
Size:
4.34 KB
patch
obsolete
>--- /usr/portage/games-roguelike/nethack/nethack-3.4.3-r1.ebuild 2007-04-01 13:35:45 +0900 >+++ nethack-3.4.3-r1.ebuild 2007-12-28 19:57:33 +0900 >@@ -4,6 +4,20 @@ > > inherit eutils toolchain-funcs flag-o-matic games > >+# If ${USE_GENTOO_GAMES_POLICY} is set to a non-empty value, the build will >+# follow the (current as of 2007) Gentoo games policy; otherwise, the build >+# will assume standard Unix-like games policy. The differences are: >+# - Under standard (non-Gentoo) policy, the "games" group is assumed to >+# be protected from users, and NetHack will be installed as group >+# "games" (actually ${GAMES_GROUP}). Under Gentoo policy, users are >+# assumed to be in the "games" group, and a separate "nethack" group >+# will be used for installation in order to protect the data files from >+# modification by users. >+# - The "you have to be in the 'games' group" message will only be >+# displayed when using Gentoo policy. >+ >+USE_GENTOO_GAMES_POLICY="for now, anyway" >+ > MY_PV=${PV//.} > DESCRIPTION="The ultimate old-school single player dungeon exploration game" > HOMEPAGE="http://www.nethack.org/" >@@ -31,6 +45,18 @@ > )" > > HACKDIR="${GAMES_DATADIR}/${PN}" >+if [ -n "${USE_GENTOO_GAMES_POLICY}" ]; then >+ NETHACK_GROUP="nethack" >+else >+ NETHACK_GROUP="games" >+fi >+ >+pkg_setup() { >+ games_pkg_setup >+ if [ -n "${USE_GENTOO_GAMES_POLICY}" ]; then >+ enewgroup nethack >+ fi >+} > > src_unpack() { > unpack ${A} >@@ -107,18 +133,31 @@ > CC="$(tc-getCC)" \ > CFLAGS="${CFLAGS}" \ > LFLAGS="-L/usr/X11R6/lib" \ >- GAMEPERM=0755 \ >- GAMEUID="${GAMES_USER}" GAMEGRP="${GAMES_GROUP}" \ >+ GAMEPERM=2751 \ >+ GAMEUID="${GAMES_USER}" GAMEGRP="${NETHACK_GROUP}" \ > PREFIX="${D}/usr" \ > GAMEDIR="${D}${HACKDIR}" \ > SHELLDIR="${D}/${GAMES_BINDIR}" \ > install \ > || die "make install failed" > >+ # Set permissions on the game data directory--but note that the real >+ # executable is stored here too, so fix it up afterwards. >+ chgrp -R "${NETHACK_GROUP}" "${D}/${HACKDIR}" || die "chgrp hackdir" >+ chmod -R 640 "${D}/${HACKDIR}" || die "chmod hackdir 1" >+ # ${HACKDIR} would be 750 if ${GAMES_BINDIR}/nethack wasn't a shell >+ # script that called the real executable, ${HACKDIR}/nethack >+ chmod 751 "${D}/${HACKDIR}" || die "chmod hackdir 2" >+ chmod 2751 "${D}/${HACKDIR}/nethack" || die "chmod hackdir 3" >+ > # We keep this stuff in ${GAMES_STATEDIR} instead so tidy up. > rm -rf "${D}/usr/share/games/nethack/save" > > newgamesbin util/recover recover-nethack || die "newgamesbin failed" >+ # FIXME: do we want to let users run this or not? >+ chgrp "${NETHACK_GROUP}" "${D}/${GAMES_BINDIR}/recover-nethack" \ >+ || die "chgrp recover" >+ chmod 2750 "${D}/${GAMES_BINDIR}/recover-nethack" || die "chmod binaries" > > # The final nethack is a sh script. This fixes the hard-coded > # HACKDIR directory so it doesn't point to ${D}/usr/share/nethackdir >@@ -172,16 +211,36 @@ > mv "${D}/${HACKDIR}/"{record,logfile,perm} "${D}/${statedir}/" > make_desktop_entry nethack "Nethack" > >- prepgamesdirs >- chmod -R 660 "${D}/${statedir}" >- chmod 770 "${D}/${statedir}" "${D}/${statedir}/save" >+ # Prevent users from modifying state files (#125902) >+ chgrp -R "${NETHACK_GROUP}" "${D}/${statedir}" || die "chgrp statedir" >+ chmod -R 660 "${D}/${statedir}" || die "chmod statedir 1" >+ chmod 770 "${D}/${statedir}" "${D}/${statedir}/save" \ >+ || die "chmod statedir 2" >+ >+ # We do NOT run prepgamesdirs because it would stomp all over our >+ # carefully set permissions. > } > > pkg_postinst() { >- games_pkg_postinst >+ if [ -z "${USE_GENTOO_GAMES_POLICY}" ]; then >+ gamesenv >+ else >+ games_pkg_postinst >+ fi > if use qt3 && has_version '=x11-libs/qt-3.1*' ; then > ewarn "the qt frontend may be a little unstable with this version of qt" > ewarn "please see Bug 32629 for more information" > fi > elog "You may want to look at /etc/skel/.nethackrc for interesting options" >+ >+ # Old installations of nethack may have the wrong group or permissions, >+ # so update them once more here >+ chgrp -R "${NETHACK_GROUP}" "${HACKDIR}" || die "chgrp hackdir" >+ chmod -R 640 "${HACKDIR}" || die "chmod hackdir 1" >+ chmod 751 "${HACKDIR}" || die "chmod hackdir 2" >+ chmod 2751 "${HACKDIR}/nethack" >+ local statedir="${GAMES_STATEDIR}/${PN}" >+ chgrp -R "${NETHACK_GROUP}" "${statedir}" || die "chgrp statedir" >+ chmod -R 660 "${statedir}" || die "chmod statedir 1" >+ chmod 770 "${statedir}" "${statedir}/save" || die "chmod statedir 2" > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 125902
:
139487
|
139490
|
139499
|
146573