Security improvements for games (largely from or inspired by OpenBSD).

Games which run setgid from dm, but don't need to, should drop their
privileges at startup.

Games which have a scorefile should open it at startup, then drop all
privileges leaving just the open writable file descriptor.  If the
game can invoke subprocesses, this should be made close-on-exec.

Games with scorefiles should make sure they do not get a file
descriptor < 3.  (Otherwise, they could get confused and corrupt the
scorefile when using stdin, stdout or stderr.)

Some old setuid revokes from the days of setuid games change into gid
revokes.

2 files changed, 30 insertions, 11 deletions

diff --git a/snake/snake/snake.c b/snake/snake/snake.c
index a356a02f..c3a69681 100644
--- a/snake/snake/snake.c
+++ b/snake/snake/snake.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: snake.c,v 1.12 1999/09/08 21:57:21 jsm Exp $	*/
+/*	$NetBSD: snake.c,v 1.13 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1980, 1993
@@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1980, 1993\n\
 #if 0
 static char sccsid[] = "@(#)snake.c	8.2 (Berkeley) 1/7/94";
 #else
-__RCSID("$NetBSD: snake.c,v 1.12 1999/09/08 21:57:21 jsm Exp $");
+__RCSID("$NetBSD: snake.c,v 1.13 1999/09/12 09:02:23 jsm Exp $");
 #endif
 #endif				/* not lint */
 
@@ -101,6 +101,9 @@ int     repeat = 1;
 time_t  tv;
 char   *tn;
 
+int rawscores;
+FILE *logfile;
+
 int main __P((int, char **));
 
 int
@@ -112,6 +115,20 @@ main(argc, argv)
 	extern int optind;
 	int     ch, i;
 
+	/* Open score files then revoke setgid privileges */
+	rawscores = open(_PATH_RAWSCORES, O_RDWR|O_CREAT, 0664);
+	if (rawscores < 0) {
+		warn("open %s", _PATH_RAWSCORES);
+		sleep(2);
+	} else if (rawscores < 3)
+		exit(1);
+	logfile = fopen(_PATH_LOGFILE, "a");
+	if (logfile == NULL) {
+		warn("fopen %s", _PATH_LOGFILE);
+		sleep(2);
+	}
+	setregid(getgid(), getgid());
+
 	(void) time(&tv);
 	srandom((int) tv);
 
@@ -498,9 +515,8 @@ post(iscore, flag)
 		pr("No saved scores for uid %d.\n", uid);
 		return (1);
 	}
-	if ((rawscores = open(_PATH_RAWSCORES, O_RDWR | O_CREAT, 0644)) < 0) {
-		pr("No score file %s: %s.\n", _PATH_RAWSCORES,
-		    strerror(errno));
+	if (rawscores < 0) {
+		/* Error reported earlier */
 		return (1);
 	}
 	/* Figure out what happened in the past */
@@ -532,7 +548,7 @@ post(iscore, flag)
 			pr("You set a new record!\n");
 	} else
 		pr("The highest is %s with $%d\n", p->pw_name, allbscore);
-	close(rawscores);
+	lseek(rawscores, 0, SEEK_SET);
 	return (1);
 }
 
@@ -935,13 +951,12 @@ void
 logit(msg)
 	const char   *msg;
 {
-	FILE   *logfile;
 	time_t  t;
 
-	if ((logfile = fopen(_PATH_LOGFILE, "a")) != NULL) {
+	if (logfile != NULL) {
 		time(&t);
 		fprintf(logfile, "%s $%d %dx%d %s %s",
 		    getlogin(), cashvalue, lcnt, ccnt, msg, ctime(&t));
-		fclose(logfile);
+		fflush(logfile);
 	}
 }
diff --git a/snake/snscore/snscore.c b/snake/snscore/snscore.c
index e50fed75..65b6b228 100644
--- a/snake/snscore/snscore.c
+++ b/snake/snscore/snscore.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: snscore.c,v 1.10 1999/09/09 17:28:00 jsm Exp $	*/
+/*	$NetBSD: snscore.c,v 1.11 1999/09/12 09:02:23 jsm Exp $	*/
 
 /*
  * Copyright (c) 1980, 1993
@@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1980, 1993\n\
 #if 0
 static char sccsid[] = "@(#)snscore.c	8.1 (Berkeley) 7/19/93";
 #else
-__RCSID("$NetBSD: snscore.c,v 1.10 1999/09/09 17:28:00 jsm Exp $");
+__RCSID("$NetBSD: snscore.c,v 1.11 1999/09/12 09:02:23 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -53,6 +53,7 @@ __RCSID("$NetBSD: snscore.c,v 1.10 1999/09/09 17:28:00 jsm Exp $");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 #include "pathnames.h"
 
 const char *recfile = _PATH_RAWSCORES;
@@ -77,6 +78,9 @@ main()
 	const	char *q;
 	struct	passwd	*p;
 
+	/* Revoke setgid privileges */
+	setregid(getgid(), getgid());
+
 	fd = fopen(recfile, "r");
 	if (fd == NULL)
 		err(1, "opening `%s'", recfile);