From 2f593094f0c4f828fd81a3b052ee426135135694 Mon Sep 17 00:00:00 2001
From: jsm <jsm@NetBSD.org>
Date: Sun, 12 Sep 1999 09:02:20 +0000
Subject: Security improvements for games (largely from or inspired by
 OpenBSD).

Games which run setgid from dm, but don't need to, should drop their
privileges at startup.

Games which have a scorefile should open it at startup, then drop all
privileges leaving just the open writable file descriptor.  If the
game can invoke subprocesses, this should be made close-on-exec.

Games with scorefiles should make sure they do not get a file
descriptor < 3.  (Otherwise, they could get confused and corrupt the
scorefile when using stdin, stdout or stderr.)

Some old setuid revokes from the days of setuid games change into gid
revokes.
---
 tetris/scores.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'tetris/scores.c')

diff --git a/tetris/scores.c b/tetris/scores.c
index a93c2ef5..7f3e4115 100644
--- a/tetris/scores.c
+++ b/tetris/scores.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: scores.c,v 1.5 1999/09/08 21:18:00 jsm Exp $	*/
+/*	$NetBSD: scores.c,v 1.6 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*-
  * Copyright (c) 1992, 1993
@@ -51,6 +51,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/stat.h>
 #include <time.h>
 #include <termcap.h>
 #include <unistd.h>
@@ -96,6 +97,7 @@ getscores(fpp)
 	FILE **fpp;
 {
 	int sd, mint, lck;
+	mode_t mask;
 	const char *mstr, *human;
 	FILE *sf;
 
@@ -110,10 +112,14 @@ getscores(fpp)
 		human = "reading";
 		lck = LOCK_SH;
 	}
+	setegid(egid);
+	mask = umask(S_IWOTH);
 	sd = open(_PATH_SCOREFILE, mint, 0666);
+	(void)umask(mask);
 	if (sd < 0) {
 		if (fpp == NULL) {
 			nscores = 0;
+			setegid(gid);
 			return;
 		}
 		(void)fprintf(stderr, "tetris: cannot open %s for %s: %s\n",
@@ -125,6 +131,7 @@ getscores(fpp)
 		    _PATH_SCOREFILE, human, strerror(errno));
 		exit(1);
 	}
+	setegid(gid);
 
 	/*
 	 * Grab a lock.
-- 
cgit v1.2.3