[Freeciv-Dev] (PR#11851) Hack request should verify userid in addition to random string

["Ed Overton" <edoverton@xxxxxxxxxx>]

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=11851 >

> [vasc - Sat Jan 08 16:21:02 2005]:

> I do not think this patch helps, although the bug report contained
> in it was interesting.

The patch does take an (admittedly) small step.  I believe you can
duplicate the issue on linux as follows:

Log in as account X, and open two terminals.  In one terminal, ssh back
to the localhost as account Y.

1) In account Y, create ~/.freeciv .  Open its permissions wide.  Start
civserver.

2) In account X, define $HOME to ~Y/.freeciv .  Start civclient.

X's client has the ability to write to ~Y/.freeciv, and therefore gets
hack access.  With the patch, X's client does not get hack access since
the userids don't match.

> [vasc - Sat Jan 08 16:20:25 2005]:

> The security mechanism hinges on the fact that non-authorized
> persons are unable to write to the directory that will have the file
> with the challenge token. Your solution didn't ensure that.

The root problem is that there are insufficient steps taken to ensure
that only the server's account can write to that directory.  So long as
that's the case, there will be cases when a localhost client can get the
elevated hack access when the userids don't match.

The bottom line is that the server will be exposed if the directory is
writable by another userid.  In that case, it won't matter what is used
in the challenge file, since a hacked client will be able to insert
whatever is necessary.

The patch simply helps in the case where the client is not hacked.  If
the root problem is resolved some other way, then the patch is unnecessary.

Ed