Complete.Org: Mailing Lists: Archives: freeciv-dev: January 2005:
[Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in additi 		Home

[Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in additi

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: edoverton@xxxxxxxxxx
Subject: [Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in addition to random string
From: "Mike Kaufman" <kaufman@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Jan 2005 18:27:56 -0800
Reply-to: bugs@xxxxxxxxxxx 
<URL: http://bugs.freeciv.org/Ticket/Display.html?id=11851 >

On Fri, Jan 07, 2005 at 05:59:34PM -0800, Ed Overton wrote:
> 
> for the hack request file can resolve to the current directory.  When
> user A is running the server and user B is running a client, both can be
> running in the same current directory (where the civserver and civclient
> are installed).  In that case, user B's client is granted hack access to
> user A's server when the common directory is writable.

I think the answer is that that's ok. We only care if the client can write
to the same directory as the server. If that's the case, then it doesn't
matter if the client directs the server to do a write. 

However, I do see your point. The server could have write permissions to a 
superset of the filespace that the client does, so in that case, having hack 
on such a server effectively gives elevated permissions to the client. 
Your patch doesn't solve that however as user B can simply log in as user A.
It might help a bit if the server where authenticating...

The patch looks ok at a glance. I don't know if it solves any problem.
Vasc?

-mike
[Prev in Thread] Current Thread [Next in Thread]