From 2f593094f0c4f828fd81a3b052ee426135135694 Mon Sep 17 00:00:00 2001
From: jsm <jsm@NetBSD.org>
Date: Sun, 12 Sep 1999 09:02:20 +0000
Subject: Security improvements for games (largely from or inspired by
 OpenBSD).

Games which run setgid from dm, but don't need to, should drop their
privileges at startup.

Games which have a scorefile should open it at startup, then drop all
privileges leaving just the open writable file descriptor.  If the
game can invoke subprocesses, this should be made close-on-exec.

Games with scorefiles should make sure they do not get a file
descriptor < 3.  (Otherwise, they could get confused and corrupt the
scorefile when using stdin, stdout or stderr.)

Some old setuid revokes from the days of setuid games change into gid
revokes.
---
 robots/main.c   | 31 ++++++++++++++++++++++++++-----
 robots/robots.h |  5 +++--
 robots/score.c  | 17 ++++++++---------
 3 files changed, 37 insertions(+), 16 deletions(-)

(limited to 'robots')

diff --git a/robots/main.c b/robots/main.c
index f2f9c97f..af8e8b7a 100644
--- a/robots/main.c
+++ b/robots/main.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.10 1999/09/08 21:45:29 jsm Exp $	*/
+/*	$NetBSD: main.c,v 1.11 1999/09/12 09:02:22 jsm Exp $	*/
 
 /*
  * Copyright (c) 1980, 1993
@@ -43,7 +43,7 @@ __COPYRIGHT("@(#) Copyright (c) 1980, 1993\n\
 #if 0
 static char sccsid[] = "@(#)main.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: main.c,v 1.10 1999/09/08 21:45:29 jsm Exp $");
+__RCSID("$NetBSD: main.c,v 1.11 1999/09/12 09:02:22 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -61,6 +61,17 @@ main(ac, av)
 	bool	show_only;
 	extern const char	*Scorefile;
 	extern int	Max_per_uid;
+	int		score_wfd; /* high score writable file descriptor */
+	int		score_err = 0; /* hold errno from score file open */
+
+	score_wfd = open(Scorefile, O_RDWR);
+	if (score_wfd < 0)
+		score_err = errno;
+	else if (score_wfd < 3)
+		exit(1);
+
+	/* Revoke setgid privileges */
+	setregid(getgid(), getgid());
 
 	show_only = FALSE;
 	Num_games = 1;
@@ -71,9 +82,12 @@ main(ac, av)
 				if (isdigit(av[0][0]))
 					Max_per_uid = atoi(av[0]);
 				else {
-					setuid(getuid());
-					setgid(getgid());
 					Scorefile = av[0];
+					if (score_wfd >= 0)
+						close(score_wfd);
+					score_wfd = open(Scorefile, O_RDWR);
+					if (score_wfd < 0)
+						score_err = errno;
 # ifdef	FANCY
 					sp = strrchr(Scorefile, '/');
 					if (sp == NULL)
@@ -128,6 +142,13 @@ main(ac, av)
 		/* NOTREACHED */
 	}
 
+	if (score_wfd < 0) {
+		errno = score_err;
+		warn("%s", Scorefile);
+		warnx("High scores will not be recorded!");
+		sleep(2);
+	}
+
 	initscr();
 	signal(SIGINT, quit);
 	crmode();
@@ -161,7 +182,7 @@ main(ac, av)
 			refresh();
 			if (Auto_bot)
 				sleep(1);
-			score();
+			score(score_wfd);
 			if (Auto_bot)
 				sleep(1);
 			refresh();
diff --git a/robots/robots.h b/robots/robots.h
index 3fcf5c1c..eb93806a 100644
--- a/robots/robots.h
+++ b/robots/robots.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: robots.h,v 1.11 1999/09/08 21:17:57 jsm Exp $	*/
+/*	$NetBSD: robots.h,v 1.12 1999/09/12 09:02:22 jsm Exp $	*/
 
 /*
  * Copyright (c) 1980, 1993
@@ -39,6 +39,7 @@
 # include	<ctype.h>
 # include	<curses.h>
 # include	<err.h>
+# include	<errno.h>
 # include	<fcntl.h>
 # include	<pwd.h>
 # include	<setjmp.h>
@@ -137,7 +138,7 @@ void	quit __P((int)) __attribute__((__noreturn__));
 void	reset_count __P((void));
 int	rnd __P((int));
 COORD  *rnd_pos __P((void));
-void	score __P((void));
+void	score __P((int));
 void	set_name __P((SCORE *));
 void	show_score __P((void));
 int	sign __P((int));
diff --git a/robots/score.c b/robots/score.c
index ddc8ce56..ee0b5b18 100644
--- a/robots/score.c
+++ b/robots/score.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: score.c,v 1.9 1999/09/08 21:57:20 jsm Exp $	*/
+/*	$NetBSD: score.c,v 1.10 1999/09/12 09:02:22 jsm Exp $	*/
 
 /*
  * Copyright (c) 1980, 1993
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)score.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: score.c,v 1.9 1999/09/08 21:57:20 jsm Exp $");
+__RCSID("$NetBSD: score.c,v 1.10 1999/09/12 09:02:22 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -116,18 +116,17 @@ write_score(inf)
  *	top list.
  */
 void
-score()
+score(score_wfd)
+	int score_wfd;
 {
-	int			inf;
+	int			inf = score_wfd;
 	SCORE			*scp;
 	int			uid;
 	bool			done_show = FALSE;
 
 	Newscore = FALSE;
-	if ((inf = open(Scorefile, O_RDWR)) < 0) {
-		warn("opening `%s'", Scorefile);
+	if (inf < 0)
 		return;
-	}
 
 	read_score(inf);
 
@@ -161,7 +160,7 @@ score()
 
 	if (!Newscore) {
 		Full_clear = FALSE;
-		close(inf);
+		lseek(inf, 0, SEEK_SET);
 		return;
 	}
 	else
@@ -191,7 +190,7 @@ score()
 	if (Newscore) {
 		write_score(inf);
 	}
-	close(inf);
+	lseek(inf, 0, SEEK_SET);
 }
 
 void
-- 
cgit v1.2.3-56-ge451