Security improvements for games (largely from or inspired by OpenBSD).

Games which run setgid from dm, but don't need to, should drop their
privileges at startup.

Games which have a scorefile should open it at startup, then drop all
privileges leaving just the open writable file descriptor.  If the
game can invoke subprocesses, this should be made close-on-exec.

Games with scorefiles should make sure they do not get a file
descriptor < 3.  (Otherwise, they could get confused and corrupt the
scorefile when using stdin, stdout or stderr.)

Some old setuid revokes from the days of setuid games change into gid
revokes.

4 files changed, 30 insertions, 11 deletions

diff --git a/rogue/init.c b/rogue/init.c
index f06ca3b4..afa5245c 100644
--- a/rogue/init.c
+++ b/rogue/init.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $	*/
+/*	$NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1988, 1993
@@ -41,7 +41,7 @@
 #if 0
 static char sccsid[] = "@(#)init.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $");
+__RCSID("$NetBSD: init.c,v 1.10 1999/09/12 09:02:23 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -57,6 +57,8 @@ __RCSID("$NetBSD: init.c,v 1.9 1999/09/09 17:27:59 jsm Exp $");
  *
  */
 
+#include <fcntl.h>
+
 #include "rogue.h"
 
 char login_name[MAX_OPT_LEN];
@@ -72,6 +74,7 @@ boolean no_skull = 0;
 boolean passgo = 0;
 const char *error_file = "rogue.esave";
 const char *byebye_string = "Okay, bye bye!";
+gid_t gid, egid;
 
 int
 init(argc, argv)
@@ -80,6 +83,16 @@ init(argc, argv)
 {
 	const char *pn;
 	int seed;
+	int fd;
+
+	gid = getgid();
+	egid = getegid();
+	setegid(gid);
+	/* Check for dirty tricks with closed fds 0, 1, 2 */
+	fd = open("/dev/null", O_RDONLY);
+	if (fd < 3)
+		exit(1);
+	close(fd);
 
 	seed = 0;
 	pn = md_gln();
diff --git a/rogue/machdep.c b/rogue/machdep.c
index 7e23ebf0..841f7b01 100644
--- a/rogue/machdep.c
+++ b/rogue/machdep.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.9 1998/11/10 13:01:32 hubertf Exp $	*/
+/*	$NetBSD: machdep.c,v 1.10 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1988, 1993
@@ -41,7 +41,7 @@
 #if 0
 static char sccsid[] = "@(#)machdep.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: machdep.c,v 1.9 1998/11/10 13:01:32 hubertf Exp $");
+__RCSID("$NetBSD: machdep.c,v 1.10 1999/09/12 09:02:23 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -471,10 +471,13 @@ md_lock(l)
 	short tries;
 
 	if (l) {
+		setegid(egid);
 		if ((fd = open(_PATH_SCOREFILE, O_RDONLY)) < 1) {
+			setegid(gid);
 			message("cannot lock score file", 0);
 			return;
 		}
+		setegid(gid);
 		for (tries = 0; tries < 5; tries++)
 			if (!flock(fd, LOCK_EX|LOCK_NB))
 				return;
@@ -500,10 +503,6 @@ md_shell(shell)
 	int w;
 
 	if (!fork()) {
-		int uid;
-
-		uid = getuid();
-		setuid(uid);
 		execl(shell, shell, 0);
 	}
 	wait(&w);
diff --git a/rogue/rogue.h b/rogue/rogue.h
index 92d49c09..0bf1e105 100644
--- a/rogue/rogue.h
+++ b/rogue/rogue.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: rogue.h,v 1.9 1999/09/08 21:45:30 jsm Exp $	*/
+/*	$NetBSD: rogue.h,v 1.10 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1988, 1993
@@ -457,6 +457,8 @@ extern char *CL;
  */
 #include <stdio.h>
 #include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 object	*alloc_object __P((void));
 object	*check_duplicate __P((object *, object *));
@@ -817,3 +819,5 @@ extern	short	r_rings;
 extern	short	regeneration;
 extern	short	ring_exp;
 extern	short	stealthy;
+extern	gid_t	gid;
+extern	gid_t	egid;
diff --git a/rogue/score.c b/rogue/score.c
index bc4f580f..3ef52dcd 100644
--- a/rogue/score.c
+++ b/rogue/score.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $	*/
+/*	$NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1988, 1993
@@ -41,7 +41,7 @@
 #if 0
 static char sccsid[] = "@(#)score.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $");
+__RCSID("$NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -213,11 +213,14 @@ put_scores(monster, other)
 
 	md_lock(1);
 
+	setegid(egid);
 	if ((fp = fopen(_PATH_SCOREFILE, "r+")) == NULL &&
 	    (fp = fopen(_PATH_SCOREFILE, "w+")) == NULL) {
+		setegid(gid);
 		message("cannot read/write/create score file", 0);
 		sf_error();
 	}
+	setegid(gid);
 	rewind(fp);
 	(void) xxx(1);