Server security
From AssaultCube
| This page needs to be restructured or rewritten |
Contents |
General
It is easy to set up a minimal server, however if you plan to host a server over a long time you should consider some security aspects. General goals:
- Run the server with an underprivileged user account. This reduces the applications access to local system resources such as the filesystem
- Run the server in a way that does not require an interactive session. This ensures that the server keeps running independent of any user session.
- Run the server in a sandbox. Isolate the server process to minimize its ability to affect the local system
The following sections describe these measurements on different platforms. It is presumed that the reader knows how to perform basic administrative tasks such as creating new user accounts.
Microsoft Windows
This section covers the following Windows platforms:
- Microsoft Windows Server 2003
- Microsoft Windows Server 2000
- Microsoft Windows XP
Running the AC server as a service
Creating an own service for the AC server is a good way to achieve the goals 1. and 2. : It runs the AC server using a configurable user credential and keeps it running independent of any user session.
- Create a new user account for the AC server, e.g. a local user account named ACserver.
- Remove the account from the Users group.
- Create a new group for game servers, e.g. Gameservers and add the ACserver account to it.
- Set the correct filesystem permissions:
- Deny write permission on the system drive (C:\)
- Grant execute permission on the \bin_win32 folder
- Grant execute permission on the \assaultcube_server.bat file
- Grant Read permission on the \config\maprot.cfg file
..undone
Linux/Unix
TODO: cross distro description
Categories: Rewrite | English | Servers | Configuration
