Plain text password in server-settings.json

This subforum contains all the issues which we already resolved.
Bisa
Filter Inserter
Filter Inserter
Posts: 450
Joined: Fri Jul 17, 2015 3:22 pm
Contact:

Plain text password in server-settings.json

Post by Bisa »

The file given for --server-settings requires me to enter a plain text password to my account when listing the server for public visibility.

I would much rather prefer not to give the factorio server bin read permission to my password in clear text and would like to suggest you stick to tokens the way you use tokens elsewhere. Imagine a security flaw enabling a malicious user to get the binary to return the contents of that file in its current state =/. I can lock the binary down all I want with chroots and not running it as the root user and still, my personal account would be exposed since the password is stored in plain text.

(while not a bug per say - I was not able to give the matchmaking server my for-this-purpose-setup account on which I did not buy the game, I have to use an account which bought the game and I can see why this is a requirement, just pointing out that I tried with a non-bought game acc as well)
Last edited by Bisa on Tue Jun 28, 2016 9:04 am, edited 1 time in total.
Hosting a factorio server? Take a look at this || init script ||.

NoPantsMcDance
Filter Inserter
Filter Inserter
Posts: 478
Joined: Fri Jul 17, 2015 6:56 pm
Contact:

Re: Plain text password in server-settings.json

Post by NoPantsMcDance »

+1
Looking for a multiplayer server? Check out my servers Vanilla Server

Zeblote
Filter Inserter
Filter Inserter
Posts: 973
Joined: Fri Oct 31, 2014 11:55 am
Contact:

Re: Plain text password in server-settings.json

Post by Zeblote »

That's really weird, the updater needs to keep the same password and it's not in plaintext there?

AyrA
Inserter
Inserter
Posts: 37
Joined: Mon Aug 31, 2015 8:00 pm
Contact:

Re: Plain text password in server-settings.json

Post by AyrA »

The player-data.json looks like this

Code: Select all

{
    "available-campaign-levels": {
        "demo": {
            "level-01": "hard"
        },
        "tight-spot": {
            "level-01": "hard"
        },
        "transport-belt-madness": {
            "level-01": "hard"
        }
    },
    "console-history": "",
    "latest-multiplayer-connections": "",
    "service-username": "AyrA.ch",
    "service-token": "IAMNOTTHATSTUPID"
}
I assume the password is never stored, but rather directly sent to the factorio servers in exchange for the service token. Ideally the server list would use the same token system.

pagep
Burner Inserter
Burner Inserter
Posts: 8
Joined: Mon Jun 20, 2016 2:42 pm
Contact:

Re: Plain text password in server-settings.json

Post by pagep »

+1

Oxyd
Former Staff
Former Staff
Posts: 1428
Joined: Thu May 07, 2015 8:42 am
Contact:

Re: Plain text password in server-settings.json

Post by Oxyd »

Well, fine. 0.13.2 will allow token instead of password in server-settings.

Keep in mind, however, that if an attacker gets access to your auth token, it's pretty much the same as if they got to your password. So this really only protects you against password re-use. Keep your tokens safe.

Also, the token may expire at any time, for any reason. So if you don't specify a password in server-settings, the server will have no way to re-authenticate itself and you'll have to give it a new token manually.

Bisa
Filter Inserter
Filter Inserter
Posts: 450
Joined: Fri Jul 17, 2015 3:22 pm
Contact:

Re: Plain text password in server-settings.json

Post by Bisa »

Oxyd wrote:Keep in mind, however, that if an attacker gets access to your auth token, it's pretty much the same as if they got to your password. So this really only protects you against password re-use. Keep your tokens safe.

Also, the token may expire at any time, for any reason. So if you don't specify a password in server-settings, the server will have no way to re-authenticate itself and you'll have to give it a new token manually.
Fair points, why not introduce an api token of sorts then? That we can monitor on our account page, like see status and expiry details, I really really do not like trusting any kind of account information to a 3rd party (well, yes I do realize there's a matter of weighing ease of use to security - and yes, I do realize I "give" my password to a 3rd party each time I log in etc... but storing it in a text file like that just feels like it could have been implemented a little "nicer" tbh)

Please understand that I'm not out to moan or complain, I just think our world needs to be more concerned about the little details when it comes to security and privacy - after all, loosing a token would not allow anyone to log in and change my password and or email now would it?
Hosting a factorio server? Take a look at this || init script ||.

Oxyd
Former Staff
Former Staff
Posts: 1428
Joined: Thu May 07, 2015 8:42 am
Contact:

Re: Plain text password in server-settings.json

Post by Oxyd »

Bisa wrote:
Oxyd wrote:Keep in mind, however, that if an attacker gets access to your auth token, it's pretty much the same as if they got to your password. So this really only protects you against password re-use. Keep your tokens safe.

Also, the token may expire at any time, for any reason. So if you don't specify a password in server-settings, the server will have no way to re-authenticate itself and you'll have to give it a new token manually.
Fair points, why not introduce an api token of sorts then? That we can monitor on our account page, like see status and expiry details, I really really do not like trusting any kind of account information to a 3rd party (well, yes I do realize there's a matter of weighing ease of use to security - and yes, I do realize I "give" my password to a 3rd party each time I log in etc...
Aren't we the 2nd party here? Or am I misunderstanding who you're referring to as the 3rd party?
Bisa wrote:but storing it in a text file like that just feels like it could have been implemented a little "nicer" tbh)
I agree with you, but the question is how. Like I said, using tokens isn't really ideal either.

Bisa
Filter Inserter
Filter Inserter
Posts: 450
Joined: Fri Jul 17, 2015 3:22 pm
Contact:

Re: Plain text password in server-settings.json

Post by Bisa »

Oxyd wrote:Aren't we the 2nd party here? Or am I misunderstanding who you're referring to as the 3rd party?
yes, sorry, I dont know where my brain thought of adding a 3rd party - I mean you as the 2nd party =)
Oxyd wrote:I agree with you, but the question is how. Like I said, using tokens isn't really ideal either.
Well, I guess tokens would be the ideal for an api user whereas manually typing passwords is a more end user way of doing this - I depends on if you want the settings.json to behave as a user or as a non-human user like a system or in this case an authorized game client.

Look at how github does for example, I've got ways to hand out api keys associated with my account that have restricted access to what I want that specific token to be able to do (create repos? delete them? etc) - in this case I'd be happy if I could create such a token in the account page and give it a custom name so >I< know what I use it for, with enough permissions to download updates and add servers to the list without allowing whoever got hold of that token to do anything else with my account. (I guess whoever in this case is my aforementioned 3rd party who could get access to the token in a malicious way should the factorio binary - god forbid - present some kind of security hole)
Hosting a factorio server? Take a look at this || init script ||.

User avatar
DRY411S
Filter Inserter
Filter Inserter
Posts: 731
Joined: Sun Mar 13, 2016 9:48 am
Contact:

Re: Plain text password in server-settings.json

Post by DRY411S »

Where can I find my token please?

Post Reply

Return to “Resolved Problems and Bugs”