Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: ularn - a text-based roguelike game https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183089 ------- Additional Comments From j.w.r.degoede@xxxxxx 2006-03-17 05:12 EST ------- MUST ==== * rpmlint output: E: ularn zero-length /var/games/Ularn-scoreboard E: ularn non-standard-executable-perm /usr/bin/Ularn 02755 Both are due to the already discussed scoreboard stuff and can be ignored. * Package named correctly * GPL license OK. * spec file legible, in Am. English * Source matches upstream * Successfully compiles and builds on at least one platform (FC-5 x86_64) (lots of warnings though!) * no locale data, shared libraries, or static libraries * No excessive Requires: or BR: * Summary and description ok * macro use consistent * Game content permissible * Not relocatable * %doc does not affect runtime MUSTFIX ======= * Package should own /usr/share/ularn, just use %{_datadir}/%{name} instead of the 3 seperate lines for the 3 files under this dir. * You currently use setegid to drop the games group, that however wont affect the saved gid and thus an attacker can regain these rights by a simpel setgid(games-gid). I've been reading a lot if setxxxgid man pages, and this is the solution: #define _GNU_SOURCE /* this must be done before the first include of unistd.h */ #include <unistd.h> .... gid_t realgid = getgid(); if (setresgid(-1, realgid, realgid) != 0) { perror("Could not drop setgid privileges. Aborting."); exit(1); } Also notice the perror instead of the "fprintf(stderr, " this will tell the user why it failed (or atleast give a clue). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
