From 2f593094f0c4f828fd81a3b052ee426135135694 Mon Sep 17 00:00:00 2001 From: jsm Date: Sun, 12 Sep 1999 09:02:20 +0000 Subject: Security improvements for games (largely from or inspired by OpenBSD). Games which run setgid from dm, but don't need to, should drop their privileges at startup. Games which have a scorefile should open it at startup, then drop all privileges leaving just the open writable file descriptor. If the game can invoke subprocesses, this should be made close-on-exec. Games with scorefiles should make sure they do not get a file descriptor < 3. (Otherwise, they could get confused and corrupt the scorefile when using stdin, stdout or stderr.) Some old setuid revokes from the days of setuid games change into gid revokes. --- rogue/score.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'rogue/score.c') diff --git a/rogue/score.c b/rogue/score.c index bc4f580f..3ef52dcd 100644 --- a/rogue/score.c +++ b/rogue/score.c @@ -1,4 +1,4 @@ -/* $NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $ */ +/* $NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $ */ /* * Copyright (c) 1988, 1993 @@ -41,7 +41,7 @@ #if 0 static char sccsid[] = "@(#)score.c 8.1 (Berkeley) 5/31/93"; #else -__RCSID("$NetBSD: score.c,v 1.7 1998/11/10 13:01:32 hubertf Exp $"); +__RCSID("$NetBSD: score.c,v 1.8 1999/09/12 09:02:23 jsm Exp $"); #endif #endif /* not lint */ @@ -213,11 +213,14 @@ put_scores(monster, other) md_lock(1); + setegid(egid); if ((fp = fopen(_PATH_SCOREFILE, "r+")) == NULL && (fp = fopen(_PATH_SCOREFILE, "w+")) == NULL) { + setegid(gid); message("cannot read/write/create score file", 0); sf_error(); } + setegid(gid); rewind(fp); (void) xxx(1); -- cgit v1.2.3-56-ge451