Search code examples
crootquake

Why is running Quake II as root stupid?


I am reviewing the Quake II source code and found out that they prevented users running the game as root:

/* Prevent running Quake II as root. Only very mad
   minded or stupid people even think about it. :) */
if (getuid() == 0)
{
    printf("Quake II shouldn't be run as root! Backing out to save your ass. If\n");
    printf("you really know what you're doing, edit src/unix/main.c and remove\n");
    printf("this check. But don't complain if Quake II eats your dog afterwards!\n");

    return 1;
}

What were the specific reasons to do that in Quake II?


Solution

  • I doubt there is any very specific pieces of code they have thought of. It is likely just that all software have bugs, and running the software with root privilege makes bugs much more dangerous.

    But a good candidate to cause issues is the QuakeC language used to create mods. Especially since these mods are made by users and out of Id Softwares control. Also, it is a network application with servers and client. This on it's own is definitely reason enough.

    So the reason is likely simply that 99% of those who start it as root does so by mistake, and normally there is no reason whatsoever to run a game as root.

    I actually really like this. I like it so much that I am considering using this simple check in almost all future code.

    EDIT:

    I figured it would be a good idea to give an example. There are tons of situations how executing stuff as root could go bad, but imagine that program or game stores some temporary files in /tmp/mygame and upon exit, the program executes something similar to rm -rf /tmp/mygame. Now imagine that the 't' character gets corrupted by whatever reason (buffer overflows, bit flips, some programmer "testing a thing" and does not restore or whatever reason) and gets the value '\0'. Remember that C strings are NUL terminated.

    Now, instead of executing rm -rf /tmp/mygame it will execute rm -rf /. If this happens you would wish it was not executed with root privileges.

    And yes, I do know that you would need to add --no-preserve-root in order to make this particular example cause any damage, but that's not the point. The point is that if there is a risk that the program could cause damage if executed with root access and the program does not need to be executed with root access to do what it should, then it is sensible to prevent it from being executed as root at all. It simply adds an extra layer of security.

    Another example is that the program may be infected with a virus. If that's the case, you definitely don't want to execute it as root.