Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCON cd allows full browsing #6193

Closed
DorpsGek opened this issue Dec 27, 2014 · 11 comments
Closed

RCON cd allows full browsing #6193

DorpsGek opened this issue Dec 27, 2014 · 11 comments
Labels
bug Something isn't working flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) security This issue is possibly a security issue

Comments

@DorpsGek
Copy link
Member

Sp1k3 opened the ticket and wrote:

Hi,

When we were looking around with rcon on the ottdc stable server we started noticing that it was possible to browse the complete filesystem using rcon. Which is something that allows "fellow" players to explore the servers filesystem and get information which could be enough to find weakness in a system (for example).

Possible solution would be to limit RCON with a sort of chroot kinda variable which defaults to the path OTTD is in but paths can be added in the config. This allows users (and distro maintainers) to add paths where needed while still keeping rcon contained. And should a user (on *NIX systems for example) want to add / it's a risk they want to take.

Just my 2 cents in this case. For more info/ideas poke me or pm cause had discussion already :)

Reported version: trunk
Operating system: All


This issue was imported from FlySpray: https://bugs.openttd.org/task/6193
@DorpsGek
Copy link
Member Author

The_Dude wrote:

Shouldn't be enough to limit the user folder access under which the openttd is running?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13664

@DorpsGek
Copy link
Member Author

Sp1k3 wrote:

If OTTD comes from a distro it might have different (perhaps even separated) folders


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13665

@DorpsGek
Copy link
Member Author

Hazzard wrote:

Since the `!rcon cd` command only seems able to move one (relative) folder at a time, it could be enought to blacklist a single folder. (Might have to worry about symlinks, not sure how openttd handles them). It wouldn't be too difficult to go all the way to just check if the user is entering a subfolder.

Some openttd.cfg setting like `rcon_root` or maybe `rcon_scope` (disabled/unused by default) would be a good way to configure it.

Side note, hypothetically you could do this by placing the openttd run location in an unreadable (by openttd) folder, but when I tried it it was "unabled to get back to working directory" or something similar, since it seemed to be using some absolute paths.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13666

@DorpsGek
Copy link
Member Author

DorpsGek commented Jan 2, 2015

peter1138 wrote:

Perhaps don't give people you don't trust access to your rcon password?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13687

@DorpsGek
Copy link
Member Author

DorpsGek commented Jan 3, 2015

Sp1k3 wrote:

That is something I agree and disagree with at the same time. Yes you should only give rcon access to ppl you trust. But SOAP? Or things that might for some reason get around rcon (unknown bug who knows). It might just be my security mindset here. But that's where I come from these days. Possible attack vectors should be covered. In ottdc's case we run each server in a separate container. But not everybody has that possibility and being able to look into a file system of a server should not be possible unless it's the paths it's supposed to be in. And not my /etc folder. Should something be discovered, /etc/passwd is just a few commands away, allowing usernames to be seen, next step bruteforce.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13691

@DorpsGek
Copy link
Member Author

DorpsGek commented Jan 3, 2015

krinn wrote:

You don't need any names from /etc/passwd, as one name is already known: root
And many other names are known as they are common in a distro version (just browse the file and look all names you didn't add yourself in). Or by social engineering, it wouldn't be big surprising your host have a Sp1k3 user ;)

If you don't trust your users, you should work on that instead of trying to hide their names.
And even without any name given, unhandle bruteforce attempts allow DoS attack.
https://en.wikipedia.org/wiki/Security_through_obscurity is a broken concept.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13694

@DorpsGek
Copy link
Member Author

adf88 wrote:

It's not just about /etc/passwd. An attacker can crawl over the filesystem to find weaknesses e.g. some buggy services that are installed. Browsing out of openttd folder should be disabled by default.

Some people may not realize that his/her rcon password is that much important. The password should give acces to openttd, not to whole system.
Also rcon authentication is far from being truly safe (AFAIK the password goes in a plain text).


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13703

@DorpsGek
Copy link
Member Author

peter1138 wrote:

What are the ls, cd, and cwd commands used for?

What would be a sensible constraint?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment14367

@DorpsGek DorpsGek added Core flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) labels Apr 7, 2018
@TrueBrain
Copy link
Member

Fully agree that full filesystem listing is silly. It always stroked me as odd that we allow navigation like that. Of course the console was never meant to be used as an rcon, but is now anyway.

Possibly it is better to allow settings folders where savegames can be in for servers, and disallow 'cd' and friends.

@frosch123 frosch123 removed the Core label Apr 14, 2018
@andythenorth andythenorth added stale Stale issues bug Something isn't working and removed bug Something isn't working labels Jan 5, 2019
@TrueBrain TrueBrain added security This issue is possibly a security issue and removed stale Stale issues labels Jan 24, 2019
@James103
Copy link
Contributor

Would it be possible to have a permissions config file where each console command and setting has a number going from -1 to 254, where -1 or 255 = infinity, as well as a way to set the permission level of clients (those commands always have infinite permission level)? This would mean that while servers can always execute any command or setting change that they can already do, clients can't execute any command or setting change with permission level higher than their own, with an error message saying that you don't have permission to use that command.

The reasoning for this is that just the RCON password and the RCON cd folder blacklist may not be enough, as clients can still force a server to restart the game or change settings for the worse of others. Adding the permissions system will hopefully limit those malicious actions and make for a better multiplayer experience.

@TrueBrain
Copy link
Member

Although it is absolutely not the best solution (that you can cd throughout a system) the impact isn't actually all that high. ls and friends only lists savegames etc, not all files. Besides, it is not possible to see the content of any random file on your disk (which would be a much higher risk).

Further more, as mentioned earlier in this thread, rcon should really only be given to people you actually trust, and should be considered on the same level as giving someone ssh access to your box. They can restart the game, load another game, ban people, and .. indeed, see all the folders on your disk.

In the way OpenTTD is designed, this is very hard to prevent. We look for files in 7+ folders, and any subfolders there of. We could add things like whitelisting, or even blacklisting. But in the end .. rcon should only be available for those you actually trust, and nobody else. It will be a lot of work to get this "secure", while there are very likely still many other ways to bypass it anyway.

So after almost 10 years, I am going to close this ticket without actually resolving it. Some parts of me wish we could/would actually resolve it, but seeing a ticket of 10 years with barely any activity, is also an indication.

As for the suggestions to make rcon have a more fine-grained access policy, that is a feature request, and out of scope of this issue :)

@TrueBrain TrueBrain closed this as not planned Won't fix, can't repro, duplicate, stale Jan 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) security This issue is possibly a security issue
Projects
None yet
Development

No branches or pull requests

5 participants