[Bug 183089] Review Request: ularn - a text-based roguelike game

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: ularn - a text-based roguelike game


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183089





------- Additional Comments From j.w.r.degoede at hhs.nl  2006-03-17 05:12 EST -------
MUST
====
* rpmlint output:
E: ularn zero-length /var/games/Ularn-scoreboard
E: ularn non-standard-executable-perm /usr/bin/Ularn 02755
Both are due to the already discussed scoreboard stuff and can be ignored.
* Package named correctly
* GPL license OK.
* spec file legible, in Am. English
* Source matches upstream
* Successfully compiles and builds on at least one platform (FC-5 x86_64)
  (lots of warnings though!)
* no locale data, shared libraries, or static libraries
* No excessive Requires: or BR:
* Summary and description ok
* macro use consistent
* Game content permissible
* Not relocatable
* %doc does not affect runtime

MUSTFIX
=======
* Package should own /usr/share/ularn, just use %{_datadir}/%{name} instead
  of the 3 seperate lines for the 3 files under this dir.

* You currently use setegid to drop the games group, that however wont affect
the saved gid and thus an attacker can regain these rights by a simpel
setgid(games-gid). I've been reading a lot if setxxxgid man pages, and this is
the solution:
#define _GNU_SOURCE /* this must be done before the first include of unistd.h */
#include <unistd.h>

....

gid_t realgid = getgid();
if (setresgid(-1, realgid, realgid) != 0) {
         perror("Could not drop setgid privileges.  Aborting.");
         exit(1);
}

Also notice the perror instead of the "fprintf(stderr, " this will tell the user
why it failed (or atleast give a clue).


-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.