diff options
author | jsm <jsm@NetBSD.org> | 1999-09-12 09:02:20 +0000 |
---|---|---|
committer | jsm <jsm@NetBSD.org> | 1999-09-12 09:02:20 +0000 |
commit | 2f593094f0c4f828fd81a3b052ee426135135694 (patch) | |
tree | 7b98927c7e61fffdc04daa44d0d99f2316fa1a47 /rogue | |
parent | b8724a0a95054da51b0a8bfca19d6d2b2662609f (diff) | |
download | bsdgames-darwin-2f593094f0c4f828fd81a3b052ee426135135694.tar.gz bsdgames-darwin-2f593094f0c4f828fd81a3b052ee426135135694.tar.zst bsdgames-darwin-2f593094f0c4f828fd81a3b052ee426135135694.zip |
Security improvements for games (largely from or inspired by OpenBSD).
Games which run setgid from dm, but don't need to, should drop their
privileges at startup.
Games which have a scorefile should open it at startup, then drop all
privileges leaving just the open writable file descriptor. If the
game can invoke subprocesses, this should be made close-on-exec.
Games with scorefiles should make sure they do not get a file
descriptor < 3. (Otherwise, they could get confused and corrupt the
scorefile when using stdin, stdout or stderr.)
Some old setuid revokes from the days of setuid games change into gid
revokes.
Diffstat (limited to 'rogue')
-rw-r--r-- | rogue/init.c | 17 | ||||
-rw-r--r-- | rogue/machdep.c | 11 | ||||
-rw-r--r-- | rogue/rogue.h | 6 | ||||
-rw-r--r-- | rogue/score.c | 7 |
4 files changed, 30 insertions, 11 deletions
diff --git a/rogue/init.c b/rogue/init.c index f06ca3b4..afa5245c 100644 --- a/rogue/init.c +++ b/rogue/init.c @@ -1,4 +1,4 @@ -/* $NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $ */ +/* $NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)init.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $"); +__RCSID("$NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $"); #endif #endif /* not lint */ @@ -57,6 +57,8 @@ __RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $"); * */ +#include <fcntl.h> + #include "rogue.h" char login_name[MAX_OPT_LEN]; @@ -72,6 +74,7 @@ boolean no_skull = 0; boolean passgo = 0; const char *error_file = "rogue.esave"; const char *byebye_string = "Okay, bye bye!"; +gid_t gid, egid; int init(argc, argv) @@ -80,6 +83,16 @@ init(argc, argv) { const char *pn; int seed; + int fd; + + gid = getgid(); + egid = getegid(); + setegid(gid); + /* Check for dirty tricks with closed fds 0, 1, 2 */ + fd = open("/dev/null", O_RDONLY); + if (fd < 3) + exit(1); + close(fd); seed = 0; pn = md_gln(); diff --git a/rogue/machdep.c b/rogue/machdep.c index 7e23ebf0..841f7b01 100644 --- a/rogue/machdep.c +++ b/rogue/machdep.c @@ -1,4 +1,4 @@ -/* $NetBSD: machdep.c,v 1.9 1998/11/10 13:01:32 hubertf Exp $ */ +/* $NetBSD: machdep.c,v 1.10 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)machdep.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: machdep.c,v 1.9 1998/11/10 13:01:32 hubertf Exp $"); +__RCSID("$NetBSD: machdep.c,v 1.10 1999/09/12 09:02:23 jsm Exp $"); #endif #endif /* not lint */ @@ -471,10 +471,13 @@ md_lock(l) short tries; if (l) { + setegid(egid); if ((fd = open(_PATH_SCOREFILE, O_RDONLY)) < 1) { + setegid(gid); message("cannot lock score file", 0); return; } + setegid(gid); for (tries = 0; tries < 5; tries++) if (!flock(fd, LOCK_EX|LOCK_NB)) return; @@ -500,10 +503,6 @@ md_shell(shell) int w; if (!fork()) { - int uid; - - uid = getuid(); - setuid(uid); execl(shell, shell, 0); } wait(&w); diff --git a/rogue/rogue.h b/rogue/rogue.h index 92d49c09..0bf1e105 100644 --- a/rogue/rogue.h +++ b/rogue/rogue.h @@ -1,4 +1,4 @@ -/* $NetBSD: rogue.h,v 1.9 1999/09/08 21:45:30 jsm Exp $ */ +/* $NetBSD: rogue.h,v 1.10 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -457,6 +457,8 @@ extern char *CL; */ #include <stdio.h> #include <string.h> +#include <sys/types.h> +#include <unistd.h> object *alloc_object __P((void)); object *check_duplicate __P((object *, object *)); @@ -817,3 +819,5 @@ extern short r_rings; extern short regeneration; extern short ring_exp; extern short stealthy; +extern gid_t gid; +extern gid_t egid; diff --git a/rogue/score.c b/rogue/score.c index bc4f580f..3ef52dcd 100644 --- a/rogue/score.c +++ b/rogue/score.c @@ -1,4 +1,4 @@ -/* $NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $ */ +/* $NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)score.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $"); +__RCSID("$NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $"); #endif #endif /* not lint */ @@ -213,11 +213,14 @@ put_scores(monster, other) md_lock(1); + setegid(egid); if ((fp = fopen(_PATH_SCOREFILE, "r+")) == NULL && (fp = fopen(_PATH_SCOREFILE, "w+")) == NULL) { + setegid(gid); message("cannot read/write/create score file", 0); sf_error(); } + setegid(gid); rewind(fp); (void) xxx(1); |