From 2f593094f0c4f828fd81a3b052ee426135135694 Mon Sep 17 00:00:00 2001 From: jsm Date: Sun, 12 Sep 1999 09:02:20 +0000 Subject: Security improvements for games (largely from or inspired by OpenBSD). Games which run setgid from dm, but don't need to, should drop their privileges at startup. Games which have a scorefile should open it at startup, then drop all privileges leaving just the open writable file descriptor. If the game can invoke subprocesses, this should be made close-on-exec. Games with scorefiles should make sure they do not get a file descriptor < 3. (Otherwise, they could get confused and corrupt the scorefile when using stdin, stdout or stderr.) Some old setuid revokes from the days of setuid games change into gid revokes. --- rogue/init.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'rogue/init.c') diff --git a/rogue/init.c b/rogue/init.c index f06ca3b4..afa5245c 100644 --- a/rogue/init.c +++ b/rogue/init.c @@ -1,4 +1,4 @@ -/* $NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $ */ +/* $NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)init.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $"); +__RCSID("$NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $"); #endif #endif /* not lint */ @@ -57,6 +57,8 @@ __RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $"); * */ +#include + #include "rogue.h" char login_name[MAX_OPT_LEN]; @@ -72,6 +74,7 @@ boolean no_skull = 0; boolean passgo = 0; const char *error_file = "rogue.esave"; const char *byebye_string = "Okay, bye bye!"; +gid_t gid, egid; int init(argc, argv) @@ -80,6 +83,16 @@ init(argc, argv) { const char *pn; int seed; + int fd; + + gid = getgid(); + egid = getegid(); + setegid(gid); + /* Check for dirty tricks with closed fds 0, 1, 2 */ + fd = open("/dev/null", O_RDONLY); + if (fd < 3) + exit(1); + close(fd); seed = 0; pn = md_gln(); -- cgit v1.2.3