View previous topic :: View next topic |
Author |
Message |
dashkal n00b
Joined: 12 Apr 2006 Posts: 2
|
Posted: Wed Apr 12, 2006 11:13 pm Post subject: |
|
|
I do rather hope gentoo comes into line with the "standard" use of the games group.
My policy has been simply to roll my own games into /usr/local rather than deal with the oddities of having to actually be in the "games" group.
So yeah, I'm a regular user who disagrees with the games team's stance on restricting games to the games group.
Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway... |
|
Back to top |
|
|
mrsteven Veteran
Joined: 04 Jul 2003 Posts: 1938
|
Posted: Thu Apr 13, 2006 9:40 am Post subject: |
|
|
dashkal wrote: | Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway... |
...which you can avoid by mounting /home /tmp /var/tmp with the noexec option. _________________ Unix philosophy: "Do one thing and do it well."
systemd: "Do everything and do it wrong." |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6053 Location: Removed by Neddy
|
Posted: Thu Apr 13, 2006 11:25 am Post subject: |
|
|
new_to_non_X86 wrote: | PaulBredbury wrote: | the bug is obviously in the nethack code |
wolf31o2 wrote: | This *is* 100% a bug in nethack |
nethack code or not the way gentoo handle games must be fixed
but we can temporaly patch nethack.while working on resloving this issue |
By "we" you mean Gentoo:Devs.
This is purely a problem with NetHack that comes visible via Gentoo's use of "games" group. Is the blame Gentoo's? NO is the blame NetHack? YES
No other game that requires a use to be part of "games" group does this so how can it be Gentoo's fault?
I quite like the principle of the Games group make's sense only ppl in the games group can play _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
mrsteven Veteran
Joined: 04 Jul 2003 Posts: 1938
|
Posted: Thu Apr 13, 2006 11:42 am Post subject: |
|
|
Indeed it's really simple: If Gentoo handled the permissons for games and game data correctly, there would be no problem. If I followed your argumentation, I'd have to say that all *nix-like OSes are crap, because if you set wrong permissions for example on /dev/hda, bad things can happen.
It is possible to restrict access to the installed games anyway, as it is discussed in the bug report. _________________ Unix philosophy: "Do one thing and do it well."
systemd: "Do everything and do it wrong." |
|
Back to top |
|
|
dashkal n00b
Joined: 12 Apr 2006 Posts: 2
|
Posted: Fri Apr 14, 2006 7:30 pm Post subject: |
|
|
mrsteven wrote: | dashkal wrote: | Rather pointless anyway considering any user can compile/install their own games to ${HOME} anyway... |
...which you can avoid by mounting /home /tmp /var/tmp with the noexec option. |
True, but that requires extra work anyway. Without resorting to drastic measures like that, the restricted games policy doesn't actually stop anything. |
|
Back to top |
|
|
CMthoma n00b
Joined: 19 Apr 2006 Posts: 1
|
Posted: Wed Apr 19, 2006 7:00 am Post subject: |
|
|
I just noticed that nethack was masked today, came across this thread; sorry for the bump. And sorry if someone has mentioned this elsewhere, it seems brutually obvious, but I just haven't seen it.
Attaining the secure, standard behavior is not an involved process in the least; for me, it was as easy as 3 chmods and a /etc/group edit. You just have to make /usr/games and /usr/games/* world readable and executable, and /usr/games/bin/* world readable, executable, and setgid (that's a 2 in the first octal.) Remove your users from the games group and it works automatically; I played a game of bastet and it read and wrote the high score file no problem.
I've seen it proposed elsewhere that there should be a games-update (akin to etc-update and opengl-update) tool, run following game emerges, in the interim while the nearly 800 packages in games-*/ are fixed, this would be a good solution, I think. All the script needs to do is refresh the perms as I stated above, very simply like so:
Code: |
#!/bin/sh
chmod 0755 /usr/games
chmod 0755 /usr/games/*
chmod 2751 /usr/games/bin/*
|
Naturally, this doesn't cover all games, such as those installed to /opt (All those Id games, for instance.) The script would have to be extended for those cases, or the user would otherwise be advised to do it manually. Of course, this interim standards-compliance hack is completely optional, and would probably only be done by those obsessed with security; the average user that didn't notice the GLSA would go on living their life as normal until they emerge after whatever change in policy occurs (if one occurs at all.)
On another note, I think all the people putting the blame fully on the upstream devs are kind of reaffirming some of the bad stereotypes that users of older, more conventional distros have of us, that we're some kind of fanatical Linux-cult that likes to break things and blame upstream when things go wrong. Obviously Nethack shouldn't have this buffer overflow vulnerability, and its probably a good thing that it got exposed; but how can anyone so vehemently defend the ability for regular users to edit highscore files as has been the Gentoo way since the beginning? Not that I'm attacking anyone, I just don't see the logic in it. I've always personally seen the Gentoo games group as an inappropriate enforcement of policy, anyway, where most everywhere else in Gentoo seems to be more oriented on mechanism. |
|
Back to top |
|
|
Arek75 n00b
Joined: 11 Nov 2004 Posts: 25
|
Posted: Wed Apr 19, 2006 4:14 pm Post subject: |
|
|
Just out of curiosity...Is there a good reason (for the average linux user) that gentoo restricts running games to the members of the games group? I can see such a restriction in a corporate-style envoronment where there's a policy stating "no games on the job", but is that where the majority of Gentoo linux machines end up?
Perhaps, as at least a temporary solution, have games be group-executable for the 'users' group, rather than the 'games' group by default (with USE="gamesgrouprestriction" to revert the behavior). Keeping it restricted to users (imo) is a good idea, since it would keep anonymous users from accessing them.
Additionally, how about adding a 'saves' group for savegames, highscores, nd the like (no group members, tho)? This would help keep problems like this one in NetHack from cropping up again.
--Arek
P.S. None of this excuses NetHack for having faulty code. This is a recommendation for simplifying gentoo's games handling from the users' prospective. |
|
Back to top |
|
|
mrsteven Veteran
Joined: 04 Jul 2003 Posts: 1938
|
Posted: Fri May 19, 2006 10:46 am Post subject: |
|
|
Is there anything going on about that? There has been no activity on b.g.o about that since last month... Anybody working on this? _________________ Unix philosophy: "Do one thing and do it well."
systemd: "Do everything and do it wrong." |
|
Back to top |
|
|
srm n00b
Joined: 14 Dec 2005 Posts: 71 Location: in da Heide. this globe
|
Posted: Sun Mar 18, 2007 8:26 pm Post subject: |
|
|
regarding bugs.gentoo (https://bugs.gentoo.org/show_bug.cgi?id=125902)
there is discussion about creating a new user/group for every game you will install.
at the first look, i think i would dislike somth. like that, for i feel like this would be kinda messy...on the other hand, mysql also needed new user(s) and i don't think i will pull in all games and therefor hav 20.000 harcore members on my box
so, let's see how this goes...nethack still hardmasked...*waiting for the summertime*
bye _________________ I'm no longer angry,for having to truncate my sig because it got to long with the following reminder:
Please check unanswered posts
co chaoid sounds |
|
Back to top |
|
|
Archangel1 Veteran
Joined: 21 Apr 2004 Posts: 1212 Location: Work
|
Posted: Mon Mar 19, 2007 3:59 am Post subject: |
|
|
Does anyone else think Nethack's approach is a bit weird? Writing savegames to somewhere other than ~ seems a bit twisted...
What's it meant to accomplish anyway? I know that I'm not meant to be able to restore a game if I die, but if I want to take an image of the game's data and copy it back later, I can - heck, if I really wanted to cheat, being required to su isn't going to stop me. _________________ What are you, stupid? |
|
Back to top |
|
|
dleverton Guru
Joined: 28 Aug 2006 Posts: 517
|
Posted: Mon Mar 19, 2007 12:23 pm Post subject: |
|
|
Archangel1 wrote: | heck, if I really wanted to cheat, being required to su isn't going to stop me. |
It is if you're on a multiuser system where you don't have su access. In that case it's important that you don't cheat, because your games interact with other people's via the bones files and high-score table. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Tue Mar 20, 2007 3:40 pm Post subject: |
|
|
srm wrote: | regarding bugs.gentoo (https://bugs.gentoo.org/show_bug.cgi?id=125902)
there is discussion about creating a new user/group for every game you will install.
at the first look, i think i would dislike somth. like that, for i feel like this would be kinda messy...on the other hand, mysql also needed new user(s) and i don't think i will pull in all games and therefor hav 20.000 harcore members on my box
so, let's see how this goes...nethack still hardmasked...*waiting for the summertime*
bye | This seems like a messy solution. I know the system can handle lots of users, but for a home desktop this doesn't appeal to me. I've been using gentoo for too long to remember how other distros handle games, but I'm betting they do something cleaner than creating lots of users. |
|
Back to top |
|
|
Dralnu Veteran
Joined: 24 May 2006 Posts: 1919
|
Posted: Tue Mar 20, 2007 4:07 pm Post subject: |
|
|
my .02C
move games from /usr/games to /opt/games. A symlink to start would make for a quick fix - drop it in a few months, and fix the handling in the mean time.
Make a group for each game (for an example, nethackexec), with a single group to give you access to EVERY game so that the admin has a normal user without a long list of games.
wherever game data is saved, change the directory's permissions to that of the game itself, and no one else (in this case, nethack:nethack).
It would be alot of work, and while we all know the devs have their own motives, this needs to be fixed CORRECTLY instead of another hack-fix on the system.
This problem may be with a bug in Nethack, but this is a bug that has exposed another problem with our non-FHS compliant system layout and setup. _________________ The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner. |
|
Back to top |
|
|
mikegpitt Advocate
Joined: 22 May 2004 Posts: 3224
|
Posted: Tue Mar 20, 2007 11:20 pm Post subject: |
|
|
Ya know... this is something where use flags come in very handy. It would be nice to see a "global-stats" useflag that when enabled allowed scored to be shared. This way, if there was a messy solution liek adding users and groups, at least it can be controled.
Although it is better to fix the problem... |
|
Back to top |
|
|
Archangel1 Veteran
Joined: 21 Apr 2004 Posts: 1212 Location: Work
|
Posted: Tue Mar 20, 2007 11:20 pm Post subject: |
|
|
dleverton wrote: | Archangel1 wrote: | heck, if I really wanted to cheat, being required to su isn't going to stop me. |
It is if you're on a multiuser system where you don't have su access. In that case it's important that you don't cheat, because your games interact with other people's via the bones files and high-score table. |
Yeah that's obviously true - my point was just that if it doesn't work in all cases (and I bet most of the people playing NetHack are doing it on a machine they have the ability to su on), then what's the point in worrying? They're trying to use system permissions to enforce an inability to "cheat", but that only actually works for some of their users, not all. _________________ What are you, stupid? |
|
Back to top |
|
|
dleverton Guru
Joined: 28 Aug 2006 Posts: 517
|
Posted: Wed Mar 21, 2007 12:23 am Post subject: |
|
|
Archangel1 wrote: | Yeah that's obviously true - my point was just that if it doesn't work in all cases (and I bet most of the people playing NetHack are doing it on a machine they have the ability to su on), then what's the point in worrying? They're trying to use system permissions to enforce an inability to "cheat", but that only actually works for some of their users, not all. |
That's not the point. No-one cares if you cheat on your own private system - "you're only cheating yourself" and all that - and since you have the source there are innumerable ways you can cheat anyway. The restriction is to stop you from cheating in ways that will affect other people. You can still compile your own hacked version in your home directory, but then that copy can't (or shouldn't be able to, with the "standard" permissions) modify the system-wide files. (It still doesn't protect users from a mischievous admin, but if you don't trust your admin you're screwed anyway.) |
|
Back to top |
|
|
|