[Freeciv-Dev] Re: (PR#13262) pubserver-in-a-diff

["Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>]

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=13262 >

Per I. Mathisen wrote:
> <URL: http://bugs.freeciv.org/Ticket/Display.html?id=13262 >
> 
> On Mon, 13 Jun 2005, Per I. Mathisen wrote:
> 
>>This patch implements the ./configure switch --enable-pubserver.
> 
> New version. What is changed?
>  * scripts are read with permission level of requesting player (is
>    read with hack cmdlevel in cvs)

This is still a security hole.  Unprivilidged players can read any file
that the server process owner has read access to.

>  * display normal or more important freelogs even if we log to file

Seems proper.  Can you separate this part out?

>  * pubserver only: allow /read, /rulesetdir and /load of scenarios;
>    the security measures for these should now be very tight

This latter should also be separated out.  Fixing /rulesetdir is not
just for pubserver.

>  * when loading a game, if players have valid users associated with them,
>    these players will not 'ready' when they have no connection; this is to
>    stop cheating by loading savegames from previous games without
>    alerting or waiting for the other players

Interesting.

> I think perhaps authentication does not need to be part of this switch.
> That would make it harder to run a public server than is necessary - since
> it is plausible some people would want to run public servers without
> authentication.
> 
> I still need to figure out how to reap old games. Since we create a 'game
> session' directory whenever a server starts, they will quickly add up. We
> need to know which are 'in use' and which are not, and then find some
> criterias for which games to reap and which to leave be. Games with no
> savegames are obvious candidates for quick reaping, but how to know they
> are not in use (by another civserver)?

I am even more strongly against having this be a configure-time switch
however.  Making it a configure-time switch prevents those with binary
installations from running it.  Debian would most likely have to have an
additional package containing the exact same server with just the
pubserver defines enabled, for instance.  And once you have the
pubserver server, you can't use it for regular play.  Finally the use of
code that isn't often compiled is bug-prone.

I know it's not trivial to make some of these changes (like the changed
settings) runtime configurable.  However if we figure out how to do this
it will have benefits in other places too: for instance when starting a
game through the client we'd like to be able to change the default
topology, so that /show changed will only show it if it doesn't match
the view.  I'm willing to help out with this, but I think we need to
separate the issues and deal with them one at a time.

-jason