[Freeciv-Dev] Re: connect dialog ver 3 (PR#1911)

[Reinier Post <rp@xxxxxxxxxx>]

On Wed, Oct 23, 2002 at 08:44:36AM -0500, Mike Kaufman wrote:
> On Wed, Oct 23, 2002 at 12:15:36PM +0000, Per I. Mathisen wrote:
> > On Wed, 23 Oct 2002, Reinier Post wrote:
> > > > I did write "a directory of their own". That, and as long as the 
> > > > filename
> > > > is restricted to the set [a-z,A-Z,0-9,'-'], then security should be
> > > > foolproof by design.
> > >
> > > Yes, with the understanding that "a directory of their own" means (due
> > > to symlinks) that you actually have to move up from that directory to
> > > .. until the root and test that none of the directories you find are 
> > > writeable
> > > by others.
> > 
> > Say Freeciv creates ~/.freeciv/savegames/ with chmod 700. I don't see any
> > way a hostile local user or a network user may manage to exploit it with
> > the restrictions mentioned above.
> 
> no. this is crazy. An attacker can simply fill up your hard drive with
> savegames. I don't want to give someome this ability and I don't want to
> mandate quotas as a prereq to playing freeciv.

I don't really see the problem.
 
> No. giving hack privileges requires either the person who actually
> started the server or a _trusted_ user.
> 
> It's clear to me now that if we're going to do this, we're going to have to
> do it right and that means public key encryption. I think vasc is right:
> it's certainly easier to send commands to the server via sockets rather
> than pipes. All it requires is making sure the server knows who it's
> talking too. A key or password written to a file that both the server and
> client running with the same uid have access to is an easy way to
> accomplish that.

All of this is clumsy and unnecessary for the stated purpose, in my opinion.
Client authorization is certainly needed, but I don't think it should be used
for opening up hack level command access.

-- 
Reinier