wiki:Steam user data

This page is for people concerned about the confidentiality of their Steam account data in combination with these scripts.

There have already been people on the forum stating they would not give their Steam user data to some random people on the internet. And I must admit I fully support this statement. I would encourage anyone using tools / services that ask you to enter login information for something else to make sure that this information is handled appropriately or - if that is either simply not the case or it is impossible to verify (e.g. closed source) - do not use that tool unless you still really trust the developers / operators.

In regards to the server management tools it is quite easy to verify your information will not be leaked by the scripts as the whole thing is open source and even used as source instead of some compiled code.

So how do you verify the Steam logon information is only used for SteamCMD? First step will be looking at the place the login information is stored: /etc/7dtd.conf in the shell variables STEAM_USER and STEAM_PASS. If you followed the Installation instructions (especially the section securing the files) this file will only be readable by the user root. So unless you have another security hole on your server no one should be able to get that information unless you explicitly run something as root.

Obviously the management scripts are all run as root. In order to access the contents of the two variables the code would have to include a reference to STEAM_USER and/or STEAM_PASS. To check for all places this is the case you can run a grep on the whole directory tree of the management scripts which will show you all files containing these strings. In order to do so download the scripts archive and extract it to an arbitrary folder (you could also directly run the grep command on the normal installation but this would either scan all files on your system or you would have to check each file of the script system on its own).

mkdir /tmp/scripts_temp
tar -xvzf management_scripts.tar.gz -C /tmp/scripts_temp
grep -nRH STEAM_USER /tmp/scripts_temp
grep -nRH STEAM_PASS /tmp/scripts_temp

The output of the first grep command should look like this:

/tmp/scripts_temp/usr/local/lib/7dtd/commands/	./ +@sSteamCmdForcePlatformType windows +login $STEAM_USER $STEAM_PASS +force_install_dir $SDTD_BASE/engine "+app_update 251570" validate +quit
/tmp/scripts_temp/etc/7dtd.conf:5:export STEAM_USER=

The second line is the location the variable is declared so it does not matter for us. So the first line shows the only location the variable is accessed which is the update script calling steamcmd.

The output for the second grep looks almost identical:

/tmp/scripts_temp/usr/local/lib/7dtd/commands/	./ +@sSteamCmdForcePlatformType windows +login $STEAM_USER $STEAM_PASS +force_install_dir $SDTD_BASE/engine "+app_update 251570" validate +quit
/tmp/scripts_temp/etc/7dtd.conf:6:export STEAM_PASS=

Only difference is the line where the password variable is declared.

So unless you do not trust the developers of SteamCMD (i.e. Valve, the owner of Steam itself) this should show you that the scripts will not leak your Steam information ;)

Last modified 10 years ago Last modified on May 27, 2014, 10:25:01 AM