[Pkg-freeciv-devel] Bug#419542: freeciv-server: does not recognise the options -a -N any more, were they removed?

josai josai at gmx.net
Mon Apr 16 13:51:07 UTC 2007 

Package: freeciv-server
Version: 2.0.8-3
Severity: important


After the upgrade from sarge to newly stable etch I became aware if this:

The civserver does not recognise the option -a (--auth) and thus the option -N (--Newusers)
any more. It prints an error message and a list of options where indeed the -a and -N option
are not listed any more and then exits. I found no hint whether they were removed deliberately
or replaced by new means of authorization for players.


Trying to run a new game:

freeciv at gateway:~/game_002_2007_03_15$ civserver --auth --Newusers --port 5555 --exit-on-end --read gamesetup_20070315.txt --gamelog gamelog_20070315.log
Error: unknown option '--auth'
....
freeciv at gateway:~/game_002_2007_03_15$


Trying to load and run a saved game:

freeciv at gateway:~/game_002_2007_03_15$ civserver --auth --Newusers --port 5555 --exit-on-end --file gamesave20070315-+2033m.sav.gz --gamelog gamelog_20070315.log
Error: unknown option '--auth'
....
freeciv at gateway:~/game_002_2007_03_15$


Impact:
Leaving out the -a option the game will run with no problems. But any user will be able to login as
any other user without a password required. This enables complete strangers to join and disturb a 
running game. Especially with servers (like mine) where users play over a time of several weeks and 
thus login and logout repeatedly. It gives me a hell of a time to determine whether unauthorized
people gained access.

Possible scenario:
A game is running and all players are connected. A stranger stumbling on the server decides to join
and make trouble. Once joined as guest he will see the hosts of all players. Now he could try to
terminate one or all user connections by DDOS against the server or a single player, because he
knows he can join thereafter as this specific user without any means of authorization required.

Suggestion/Request:
Please include the -a and -N options as they existed in debian sarge freeciv-server 2.0.1-1sarge2 in
order to enable privacy and security again.


With kind regards
josai

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.2-grsec
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages freeciv-server depends on:
ii  freeciv-data                2.0.8-3      Civilization turn based strategy g
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  zlib1g                      1:1.2.3-13   compression library - runtime

freeciv-server recommends no packages.

-- no debconf information

More information about the Pkg-freeciv-devel mailing list