Fix #103: Resolve local privilege escalation in API IPC path#109
Open
NodeAndNails wants to merge 1 commit into
Open
Fix #103: Resolve local privilege escalation in API IPC path#109NodeAndNails wants to merge 1 commit into
NodeAndNails wants to merge 1 commit into
Conversation
Dropping the API IPC file in /tmp (world-writable) let any local user write "install|appId|library" to it, forcing Steam to install arbitrary apps. - Moved the IPC file to $XDG_RUNTIME_DIR with 0600 permissions. - Falls back to ~/.config/SLSsteam if XDG isn't set. - Added lstat() checks on the fallback dir to block symlink traversal and verified ownership to stop cross-UID attacks. - Checked mkdir() return value so we don't silently run in a broken state if it fails. - Added a stat()/geteuid() check in onFileChange() to reject commands if the file owner doesn't match (TOCTOU mitigation). - Added SLSAPI::deinit() to clean up the IPC file. - Wired deinit() into unload() in main.cpp. (Note: Steam's normal exit skips unload(), so XDG tmpfs cleanup on logout is the actual safety net). - Changed path to std::string in api.hpp so we can handle dynamic paths without buffer issues.
Owner
It's fine thank you very much for the PR. I am sorry for stalling so long but life is keeping me pretty busy lately and I just lack the time and energy to review & test this right now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dropping the API IPC file in
/tmp(world-writable) let any local user writeinstall|appId|libraryto it, forcing Steam to install arbitrary apps.$XDG_RUNTIME_DIRwith0600permissions.~/.config/SLSsteamif XDG isn't set.lstat()checks on the fallback dir to block symlink traversal and verified ownership to stop cross-UID attacks.mkdir()return value so we don't silently run in a broken state if it fails.stat()/geteuid()check inonFileChange()to reject commands if the file owner doesn't match (TOCTOU mitigation).SLSAPI::deinit()to clean up the IPC file.deinit()intounload()inmain.cpp. (Note: Steam's normal exit skipsunload(), so XDG tmpfs cleanup on logout is the actual safety net).pathtostd::stringinapi.hppso we can handle dynamic paths without buffer issues.Replaces #104. Sorry, I forgot to use a separate branch when I wrote this and pushed straight to my main. Moving it here to keep things clean.