4

I am reviewing the Quake II source code and found out that they prevented users running the game as root:

/* Prevent running Quake II as root. Only very mad
   minded or stupid people even think about it. :) */
if (getuid() == 0)
{
    printf("Quake II shouldn't be run as root! Backing out to save your ass. If\n");
    printf("you really know what you're doing, edit src/unix/main.c and remove\n");
    printf("this check. But don't complain if Quake II eats your dog afterwards!\n");

    return 1;
}

What were the specific reasons to do that in Quake II?

Boann
  • 48,794
  • 16
  • 117
  • 146
Van Tr
  • 5,889
  • 2
  • 20
  • 44
  • 9
    Because its a big piece of software, most likely buggy here and there and might have security holes. Running vulnerable software as root is stupid. Not specific to Quake though. – Eugene Sh. Jan 03 '20 at 17:04
  • 1
    Because there's no reason to run it as root. It's only making your system more vulnerable. Security 101 man, don't ever give more permissions to software, systems, or users than is needed. – Captain Skyhawk Jan 03 '20 at 17:06
  • @EugeneSh. Thanks. I know that in general, the software should not be run as `root` in Linux if not needed. My question here is more like is there any technical reason behind that for Quake regarding its software; for example web server application in Linux always avoid user to run it as `root` because of security concern that the program when having the highest privilege can connect you to untrusted port ... – Van Tr Jan 03 '20 at 17:22
  • 1
    @Trevor As far as I know Quake can run over network and serve as server too. But as mentioned below, it is also moddable, so apparently one might utilize some holes to write a mod to eat your dog. – Eugene Sh. Jan 03 '20 at 17:25

1 Answers1

7

I doubt there is any very specific pieces of code they have thought of. It is likely just that all software have bugs, and running the software with root privilege makes bugs much more dangerous.

But a good candidate to cause issues is the QuakeC language used to create mods. Especially since these mods are made by users and out of Id Softwares control. Also, it is a network application with servers and client. This on it's own is definitely reason enough.

So the reason is likely simply that 99% of those who start it as root does so by mistake, and normally there is no reason whatsoever to run a game as root.

I actually really like this. I like it so much that I am considering using this simple check in almost all future code.

EDIT:

I figured it would be a good idea to give an example. There are tons of situations how executing stuff as root could go bad, but imagine that program or game stores some temporary files in /tmp/mygame and upon exit, the program executes something similar to rm -rf /tmp/mygame. Now imagine that the 't' character gets corrupted by whatever reason (buffer overflows, bit flips, some programmer "testing a thing" and does not restore or whatever reason) and gets the value '\0'. Remember that C strings are NUL terminated.

Now, instead of executing rm -rf /tmp/mygame it will execute rm -rf /. If this happens you would wish it was not executed with root privileges.

And yes, I do know that you would need to add --no-preserve-root in order to make this particular example cause any damage, but that's not the point. The point is that if there is a risk that the program could cause damage if executed with root access and the program does not need to be executed with root access to do what it should, then it is sensible to prevent it from being executed as root at all. It simply adds an extra layer of security.

Another example is that the program may be infected with a virus. If that's the case, you definitely don't want to execute it as root.

klutt
  • 30,332
  • 17
  • 55
  • 95
  • Another reason might be that root usually is allowed to consume more system resources than regular users (i.e. lower scoring for the oom-killer, more filesystem resources), so a runaway-root-process is more likely to bring the system down – Ctx Jan 03 '20 at 17:18
  • If I'm remembering correct ``--no-preserve-root``/``--no-root is a somewhat new option and did not exist, when Quake II was developed. – Yeti Jan 04 '20 at 12:28
  • @Yeti That is correct. However, it will not protect you if you add an asterisk. `rm -rf /*`. Or well, after it has removed everything except the root folder, it will protect you from doing that last step. :) – klutt Jan 08 '20 at 07:55