Changes between Initial Version and Version 1 of Steam user data


Ignore:
Timestamp:
May 27, 2014, 10:25:01 AM (10 years ago)
Author:
Christian Illy
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Steam user data

    v1 v1  
     1This page is for people concerned about the confidentiality of their Steam account data in combination with these scripts.
     2
     3\\
     4
     5There have already been people on the forum stating they would not give their Steam user data to some random people on the internet. And I must admit I fully support this statement. I would encourage anyone using tools / services that ask you to enter login information for something else to make sure that this information is handled appropriately or - if that is either simply not the case or it is impossible to verify (e.g. closed source) - do not use that tool unless you still really trust the developers / operators.
     6
     7In regards to the server management tools it is quite easy to verify your information will not be leaked by the scripts as the whole thing is open source and even used as source instead of some compiled code.
     8
     9So how do you verify the Steam logon information is only used for SteamCMD? First step will be looking at the place the login information is stored: '''/etc/7dtd.conf''' in the shell variables ''STEAM_USER'' and ''STEAM_PASS''. If you followed the [[Installation]] instructions (especially the section [[Installation#Securethefiles|securing the files]]) this file will only be readable by the user root. So unless you have another security hole on your server no one should be able to get that information unless you explicitly run something as root.
     10
     11Obviously the management scripts are all run as root. In order to access the contents of the two variables the code would have to include a reference to ''STEAM_USER'' and/or ''STEAM_PASS''. To check for all places this is the case you can run a ''[http://en.wikipedia.org/wiki/Grep grep]'' on the whole directory tree of the management scripts which will show you all files containing these strings. In order to do so download the scripts archive and extract it to an arbitrary folder (you could also directly run the ''grep'' command on the normal installation but this would either scan '''all''' files on your system or you would have to check each file of the script system on its own).
     12{{{
     13wget http://illy.bz/fi/7dtd/management_scripts.tar.gz
     14mkdir /tmp/scripts_temp
     15tar -xvzf management_scripts.tar.gz -C /tmp/scripts_temp
     16grep -nRH STEAM_USER /tmp/scripts_temp
     17grep -nRH STEAM_PASS /tmp/scripts_temp
     18}}}
     19
     20The output of the first grep command should look like this:
     21{{{
     22/tmp/scripts_temp/usr/local/lib/7dtd/commands/updateengine.sh:25:       ./steamcmd.sh +@sSteamCmdForcePlatformType windows +login $STEAM_USER $STEAM_PASS +force_install_dir $SDTD_BASE/engine "+app_update 251570" validate +quit
     23/tmp/scripts_temp/etc/7dtd.conf:5:export STEAM_USER=
     24}}}
     25The second line is the location the variable is declared so it does not matter for us. So the first line shows the only location the variable is accessed which is the update script calling ''steamcmd''.
     26
     27The output for the second grep looks almost identical:
     28{{{
     29/tmp/scripts_temp/usr/local/lib/7dtd/commands/updateengine.sh:25:       ./steamcmd.sh +@sSteamCmdForcePlatformType windows +login $STEAM_USER $STEAM_PASS +force_install_dir $SDTD_BASE/engine "+app_update 251570" validate +quit
     30/tmp/scripts_temp/etc/7dtd.conf:6:export STEAM_PASS=
     31}}}
     32Only difference is the line where the password variable is declared.
     33
     34\\
     35
     36So unless you do not trust the developers of SteamCMD (i.e. Valve, the owner of Steam itself) this should show you that the scripts will not leak your Steam information ;)