[ghostdlr]

Hello guys. I have a dedicated server with Windows server 2019 and I want to host a CS GO server for someone.

I also have my stuff running there, some websites and files. Is there any security risk if I host that CS GO server?

Can source mod plugins list and read files from disk outside cs go server folder? Can it get info about running processes or any information about the machine ?

[eyal282]

Quote:

Originally Posted by ghostdlr Hello guys. I have a dedicated server with Windows server 2019 and I want to host a CS GO server for someone. I also have my stuff running there, some websites and files. Is there any security risk if I host that CS GO server? Can source mod plugins list and read files from disk outside cs go server folder? Can it get info about running processes or any information about the machine ?

No chance of deleting / accessing anything the user can't access I believe. Wait for the experts if you're still afraid.

[Psyk0tik]

As far as I know, SM can only access files located in folders relative to the path of SM and the game's mod (tf, csgo, left4dead, left4dead2, etc.) folder. SM will not be able to access anything outside of the server's game folder, so I wouldn't worry about plugins potentially retrieving your personal/confidential files.

[asherkin]

The SourceMod plugin runtime is not sandboxed, plugins can access anything that the SRCDS process can access (which is probably going to be the same as anything the user running SRCDS can access).

You should treat a compiled plugin as you would any other executable code. If you're talking vulnerabilities rather than intentionally malicious code (all SourceMod plugins are legally required to be distributed with source code, so you can always audit and compile them yourself), I'd be a lot more wary of SRCDS itself personally.

There's no great risk here, just isolate SRCDS as you would any other server daemon.

[ghostdlr]

Not sure how to isolate it on windows server. Any ideas?

[TomL.]

There are many ways e.g. windows users and groups permissions, Docker/Hyper-V, sandbox software etc.

[ghostdlr]

Did anyone try to use sandboxie for running srcds ? Is it a good idea ?

[TomL.]

You can use it.

[LaGgLs]

You are 100% safe to use that its no change sourcemod can read files in that way

[Balimbanana]

I think you should definitely sandbox it. Here is an example of being able to list directories and read files (to the extent of what the user that launched srcds.exe can access):

Code:

#include <sourcemod>

public void OnPluginStart()
{
	RegAdminCmd("ls",lsdir,ADMFLAG_ROOT,".");
	RegAdminCmd("cat",catfile,ADMFLAG_ROOT,".");
}

public Action lsdir(int client, int args)
{
	if (args > 0)
	{
		char szDir[256];
		GetCmdArgString(szDir,sizeof(szDir));
		if (DirExists(szDir,true,NULL_STRING))
		{
			Handle hDirListing = OpenDirectory(szDir,true,NULL_STRING);
			if (hDirListing != INVALID_HANDLE)
			{
				char buff[64];
				while (ReadDirEntry(hDirListing, buff, sizeof(buff)))
				{
					if ((!(StrEqual(buff, "."))) && (!(StrEqual(buff, ".."))))
						PrintToConsole(client,"%s/%s",szDir,buff);
				}
			}
			CloseHandle(hDirListing);
		}
		else PrintToConsole(client,"Directory '%s' does not exist.",szDir);
	}
	return Plugin_Handled;
}

public Action catfile(int client, int args)
{
	if (args > 0)
	{
		char szFile[256];
		GetCmdArgString(szFile,sizeof(szFile));
		if (FileExists(szFile,true,NULL_STRING))
		{
			Handle hFile = OpenFile(szFile,"r",true,NULL_STRING);
			if (hFile != INVALID_HANDLE)
			{
				char line[256];
				while(!IsEndOfFile(hFile)&&ReadFileLine(hFile,line,sizeof(line)))
				{
					ReplaceString(line,sizeof(line),"\n","",false);
					PrintToConsole(client,"%s",line);
				}
			}
			CloseHandle(hFile);
		}
		else PrintToConsole(client,"File '%s' does not exist.",szFile);
	}
	return Plugin_Handled;
}

Then as an example, lets assume the server is installed at:
C:\SteamCMD\steamapps\common\CSGO\csgo
and you have a web server at:
C:\webserver

Code:

This would list the directory contents
ls ../../../../../webserver/htdocs
This could read a .htaccess file at the root of htdocs
cat ../../../../../webserver/htdocs/.htaccess

You could even modify the code to open in "r+" or "w" and overwrite files there. If it was just for a friend, you probably wouldn't need to worry about them doing things like this, but if they have random admins on their server that could add plugins, definitely sandbox it.