英文:
Why is running Quake II as root stupid?
问题
他们在Quake II 中阻止用户以 root 权限运行游戏的原因是什么?
英文:
I am reviewing the Quake II source code and found out that they prevented users running the game as root:
/* Prevent running Quake II as root. Only very mad
minded or stupid people even think about it. :) */
if (getuid() == 0)
{
printf("Quake II shouldn't be run as root! Backing out to save your ass. If\n");
printf("you really know what you're doing, edit src/unix/main.c and remove\n");
printf("this check. But don't complain if Quake II eats your dog afterwards!\n");
return 1;
}
What were the specific reasons to do that in Quake II?
答案1
得分: 7
我怀疑他们没有考虑到任何非常具体的代码部分。很可能只是因为所有软件都会有漏洞,以root特权运行软件会使漏洞变得更加危险。
但可能会引发问题的一个候选项是QuakeC语言,用于创建模组。特别是因为这些模组是由用户制作的,而且超出了Id Software的控制。此外,它是一个具有服务器和客户端的网络应用程序。这本身已经足够成为理由了。
所以,原因很可能是99%以root身份启动它的人都是出于错误,通常没有任何理由以root身份运行游戏。
我实际上非常喜欢这个想法。我喜欢它到了可以考虑在几乎所有未来的代码中使用这个简单的检查。
编辑:
我觉得提供一个示例是个好主意。有很多情况下以root权限执行东西可能会出问题,但想象一下,程序或游戏将一些临时文件存储在/tmp/mygame中,并在退出时执行类似于rm -rf /tmp/mygame的操作。现在想象一下,由于某种原因(缓冲区溢出,位翻转,某个程序员“测试一个东西”并且没有还原,或其他原因),'t'字符被损坏,并且变成了'\0'的值。请记住,C字符串是以NUL结尾的。
现在,它将执行rm -rf /,如果发生这种情况,您会希望它不以root权限执行。
是的,我知道您需要添加--no-preserve-root才能使这个特定示例造成任何损害,但这不是重点。重点是,如果程序以root访问权限执行可能会导致损害的风险,并且程序不需要以root权限执行其所需的操作,那么防止其以root身份执行是合理的。这只是增加了一层额外的安全性。
另一个示例是程序可能被感染了病毒。如果是这种情况,绝对不要以root权限执行它。
英文:
I doubt there is any very specific pieces of code they have thought of. It is likely just that all software have bugs, and running the software with root privilege makes bugs much more dangerous.
But a good candidate to cause issues is the QuakeC language used to create mods. Especially since these mods are made by users and out of Id Softwares control. Also, it is a network application with servers and client. This on it's own is definitely reason enough.
So the reason is likely simply that 99% of those who start it as root does so by mistake, and normally there is no reason whatsoever to run a game as root.
I actually really like this. I like it so much that I am considering using this simple check in almost all future code.
EDIT:
I figured it would be a good idea to give an example. There are tons of situations how executing stuff as root could go bad, but imagine that program or game stores some temporary files in /tmp/mygame and upon exit, the program executes something similar to rm -rf /tmp/mygame. Now imagine that the 't' character gets corrupted by whatever reason (buffer overflows, bit flips, some programmer "testing a thing" and does not restore or whatever reason) and gets the value '\0'. Remember that C strings are NUL terminated.
Now, instead of executing rm -rf /tmp/mygame it will execute rm -rf /. If this happens you would wish it was not executed with root privileges.
And yes, I do know that you would need to add --no-preserve-root in order to make this particular example cause any damage, but that's not the point. The point is that if there is a risk that the program could cause damage if executed with root access and the program does not need to be executed with root access to do what it should, then it is sensible to prevent it from being executed as root at all. It simply adds an extra layer of security.
Another example is that the program may be infected with a virus. If that's the case, you definitely don't want to execute it as root.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论