FS#6193 - RCON cd allows full browsing

Attached to Project: OpenTTD
Opened by Dennis Weewer (Sp1k3) - Saturday, 27 December 2014, 10:31 GMT
Type Bug
Category Core
Status New
Assigned To No-one
Operating System All
Severity Low
Priority Normal
Reported Version trunk
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No



When we were looking around with rcon on the ottdc stable server we started noticing that it was possible to browse the complete filesystem using rcon. Which is something that allows "fellow" players to explore the servers filesystem and get information which could be enough to find weakness in a system (for example).

Possible solution would be to limit RCON with a sort of chroot kinda variable which defaults to the path OTTD is in but paths can be added in the config. This allows users (and distro maintainers) to add paths where needed while still keeping rcon contained. And should a user (on *NIX systems for example) want to add / it's a risk they want to take.

Just my 2 cents in this case. For more info/ideas poke me or pm cause had discussion already :)
This task depends upon

Comment by Jan Skoch (The_Dude) - Saturday, 27 December 2014, 11:14 GMT
Shouldn't be enough to limit the user folder access under which the openttd is running?
Comment by Dennis Weewer (Sp1k3) - Saturday, 27 December 2014, 11:16 GMT
If OTTD comes from a distro it might have different (perhaps even separated) folders
Comment by Mingwei Samuel (Hazzard) - Sunday, 28 December 2014, 00:57 GMT
Since the `!rcon cd` command only seems able to move one (relative) folder at a time, it could be enought to blacklist a single folder. (Might have to worry about symlinks, not sure how openttd handles them). It wouldn't be too difficult to go all the way to just check if the user is entering a subfolder.

Some openttd.cfg setting like `rcon_root` or maybe `rcon_scope` (disabled/unused by default) would be a good way to configure it.

Side note, hypothetically you could do this by placing the openttd run location in an unreadable (by openttd) folder, but when I tried it it was "unabled to get back to working directory" or something similar, since it seemed to be using some absolute paths.
Comment by Peter Nelson (peter1138) - Friday, 02 January 2015, 06:31 GMT
Perhaps don't give people you don't trust access to your rcon password?
Comment by Dennis Weewer (Sp1k3) - Saturday, 03 January 2015, 10:41 GMT
That is something I agree and disagree with at the same time. Yes you should only give rcon access to ppl you trust. But SOAP? Or things that might for some reason get around rcon (unknown bug who knows). It might just be my security mindset here. But that's where I come from these days. Possible attack vectors should be covered. In ottdc's case we run each server in a separate container. But not everybody has that possibility and being able to look into a file system of a server should not be possible unless it's the paths it's supposed to be in. And not my /etc folder. Should something be discovered, /etc/passwd is just a few commands away, allowing usernames to be seen, next step bruteforce.
Comment by pagnon stephane (krinn) - Saturday, 03 January 2015, 20:42 GMT
You don't need any names from /etc/passwd, as one name is already known: root
And many other names are known as they are common in a distro version (just browse the file and look all names you didn't add yourself in). Or by social engineering, it wouldn't be big surprising your host have a Sp1k3 user ;)

If you don't trust your users, you should work on that instead of trying to hide their names.
And even without any name given, unhandle bruteforce attempts allow DoS attack. is a broken concept.
Comment by Grzegorz DuczyƄski (adf88) - Sunday, 11 January 2015, 12:22 GMT
It's not just about /etc/passwd. An attacker can crawl over the filesystem to find weaknesses e.g. some buggy services that are installed. Browsing out of openttd folder should be disabled by default.

Some people may not realize that his/her rcon password is that much important. The password should give acces to openttd, not to whole system.
Also rcon authentication is far from being truly safe (AFAIK the password goes in a plain text).
Comment by Peter Nelson (peter1138) - Monday, 13 March 2017, 15:57 GMT
What are the ls, cd, and cwd commands used for?

What would be a sensible constraint?