Complete.Org: Mailing Lists: Archives: freeciv-dev: January 2005:
[Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in additi

[Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in additi

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: edoverton@xxxxxxxxxx
Subject: [Freeciv-Dev] Re: (PR#11851) Hack request should verify userid in addition to random string
From: "Vasco Alexandre da Silva Costa" <vasc@xxxxxxxxxxxxxx>
Date: Sat, 8 Jan 2005 08:21:07 -0800
Reply-to: bugs@xxxxxxxxxxx

<URL: >

On Fri, 7 Jan 2005, Mike Kaufman wrote:

> <URL: >
> On Fri, Jan 07, 2005 at 05:59:34PM -0800, Ed Overton wrote:
> >
> > for the hack request file can resolve to the current directory.  When
> > user A is running the server and user B is running a client, both can be
> > running in the same current directory (where the civserver and civclient
> > are installed).  In that case, user B's client is granted hack access to
> > user A's server when the common directory is writable.
> I think the answer is that that's ok. We only care if the client can write
> to the same directory as the server. If that's the case, then it doesn't
> matter if the client directs the server to do a write.
> However, I do see your point. The server could have write permissions to a
> superset of the filespace that the client does, so in that case, having hack
> on such a server effectively gives elevated permissions to the client.
> Your patch doesn't solve that however as user B can simply log in as user A.
> It might help a bit if the server where authenticating...
> The patch looks ok at a glance. I don't know if it solves any problem.
> Vasc?

I do not think this patch helps, although the bug report contained in
it was interesting.

Vasco Alexandre da Silva Costa @ Instituto Superior Tecnico, Lisboa

[Prev in Thread] Current Thread [Next in Thread]