Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 146573 Details for
Bug 125902
<games-roguelike/nethack-3.4.3-r2: local privilege escalation and insecure savegame creation (CVE-2006-1390)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Revised ebuild patch that runs prepgamesdirs
state-dir-permissions-fix-v3.patch (text/plain), 4.01 KB, created by
Andrew Church
on 2008-03-19 12:36:00 UTC
(
hide
)
Description:
Revised ebuild patch that runs prepgamesdirs
Filename:
MIME Type:
Creator:
Andrew Church
Created:
2008-03-19 12:36:00 UTC
Size:
4.01 KB
patch
obsolete
>--- /usr/portage/games-roguelike/nethack/nethack-3.4.3-r1.ebuild 2007-04-01 13:35:45 +0900 >+++ nethack-3.4.3-r1.ebuild 2008-03-19 21:24:28 +0900 >@@ -4,6 +4,20 @@ > > inherit eutils toolchain-funcs flag-o-matic games > >+# If ${USE_GENTOO_GAMES_POLICY} is set to a non-empty value, the build will >+# follow the (current as of 2008) Gentoo games policy; otherwise, the build >+# will assume standard Unix-like games policy. The differences are: >+# - Under standard (non-Gentoo) policy, the "games" group is assumed to >+# be protected from users, and NetHack will be installed as group >+# "games" (actually ${GAMES_GROUP}). Under Gentoo policy, users are >+# assumed to be in the "games" group, and a separate "nethack" group >+# will be used for installation in order to protect the data files from >+# modification by users. >+# - The "you have to be in the 'games' group" message will only be >+# displayed when using Gentoo policy. >+ >+USE_GENTOO_GAMES_POLICY="for now, anyway" >+ > MY_PV=${PV//.} > DESCRIPTION="The ultimate old-school single player dungeon exploration game" > HOMEPAGE="http://www.nethack.org/" >@@ -31,6 +45,18 @@ > )" > > HACKDIR="${GAMES_DATADIR}/${PN}" >+if [ -n "${USE_GENTOO_GAMES_POLICY}" ]; then >+ NETHACK_GROUP="nethack" >+else >+ NETHACK_GROUP="games" >+fi >+ >+pkg_setup() { >+ games_pkg_setup >+ if [ -n "${USE_GENTOO_GAMES_POLICY}" ]; then >+ enewgroup nethack >+ fi >+} > > src_unpack() { > unpack ${A} >@@ -105,8 +131,8 @@ > CC="$(tc-getCC)" \ > CFLAGS="${CFLAGS}" \ > LFLAGS="-L/usr/X11R6/lib" \ >- GAMEPERM=0755 \ >- GAMEUID="${GAMES_USER}" GAMEGRP="${GAMES_GROUP}" \ >+ GAMEPERM=2751 \ >+ GAMEUID="${GAMES_USER}" GAMEGRP="${NETHACK_GROUP}" \ > PREFIX="${D}/usr" \ > GAMEDIR="${D}${HACKDIR}" \ > SHELLDIR="${D}/${GAMES_BINDIR}" \ >@@ -171,15 +197,51 @@ > make_desktop_entry nethack "Nethack" > > prepgamesdirs >- chmod -R 660 "${D}/${statedir}" >- chmod 770 "${D}/${statedir}" "${D}/${statedir}/save" >+ >+ # Set permissions on the game data directory--but note that the real >+ # executable is stored here too, so fix it up afterwards. >+ chgrp -R "${NETHACK_GROUP}" "${D}/${HACKDIR}" || die "chgrp hackdir" >+ chmod -R 640 "${D}/${HACKDIR}" || die "chmod hackdir 1" >+ # ${HACKDIR} would be 750 if ${GAMES_BINDIR}/nethack wasn't a shell >+ # script that called the real executable, ${HACKDIR}/nethack >+ chmod 751 "${D}/${HACKDIR}" || die "chmod hackdir 2" >+ chmod 2751 "${D}/${HACKDIR}/nethack" || die "chmod nethack" >+ >+ # "recover" should only be runnable by the administrator; otherwise, >+ # ordinary users could mess with other users' save files (see the >+ # manpage). >+ chgrp "${NETHACK_GROUP}" "${D}/${GAMES_BINDIR}/recover-nethack" \ >+ || die "chgrp recover" >+ chmod 2750 "${D}/${GAMES_BINDIR}/recover-nethack" || die "chmod recover" >+ >+ # Prevent users from modifying state files. (#125902) >+ chgrp -R "${NETHACK_GROUP}" "${D}/${statedir}" || die "chgrp statedir" >+ chmod -R 660 "${D}/${statedir}" || die "chmod statedir 1" >+ chmod 770 "${D}/${statedir}" "${D}/${statedir}/save" \ >+ || die "chmod statedir 2" > } > > pkg_postinst() { >- games_pkg_postinst >+ if [ -z "${USE_GENTOO_GAMES_POLICY}" ]; then >+ gamesenv >+ else >+ games_pkg_postinst >+ fi > if use qt3 && has_version '=x11-libs/qt-3.1*' ; then > ewarn "the qt frontend may be a little unstable with this version of qt" > ewarn "please see Bug 32629 for more information" > fi > elog "You may want to look at /etc/skel/.nethackrc for interesting options" >+ >+ # Old installations of nethack may have the wrong group or permissions, >+ # so update them once more here. FIXME: If we force an unmerge of any >+ # old ebuild first, the code below can be removed. >+ chgrp -R "${NETHACK_GROUP}" "${HACKDIR}" || die "chgrp hackdir" >+ chmod -R 640 "${HACKDIR}" || die "chmod hackdir 1" >+ chmod 751 "${HACKDIR}" || die "chmod hackdir 2" >+ chmod 2751 "${HACKDIR}/nethack" >+ local statedir="${GAMES_STATEDIR}/${PN}" >+ chgrp -R "${NETHACK_GROUP}" "${statedir}" || die "chgrp statedir" >+ chmod -R 660 "${statedir}" || die "chmod statedir 1" >+ chmod 770 "${statedir}" "${statedir}/save" || die "chmod statedir 2" > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=146573">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 125902
:
139487
|
139490
|
139499
| 146573
