Found a local privilege escalation issue with the optional API feature in src/api.cpp.
The API path is hardcoded to /tmp/SLSsteam.API. When enabled via the config, SLSsteam watches this file and blindly executes the first line it sees (e.g., install|appId|library).
Since /tmp is world-writable, any local process or user on a shared machine can write to this file to force the Steam client to install arbitrary apps. There is no authentication or ownership check on who is writing the commands.
Instead of using /tmp, the API endpoint should use $XDG_RUNTIME_DIR (usually /run/user/$UID, automatically set to 0700 by systemd) so only the current user has access. If that variable isn't set, falling back to a file or socket under ~/.config/SLSsteam/ is still much safer than /tmp.
Ideally, it would be better to replace the file-watching logic entirely with a Unix domain socket. If you bind inside $XDG_RUNTIME_DIR, you can use SO_PEERCRED on the accepted connection to check the peer's UID against geteuid() and drop the connection if they don't match.
Found a local privilege escalation issue with the optional API feature in
src/api.cpp.The API path is hardcoded to
/tmp/SLSsteam.API. When enabled via the config, SLSsteam watches this file and blindly executes the first line it sees (e.g.,install|appId|library).Since
/tmpis world-writable, any local process or user on a shared machine can write to this file to force the Steam client to install arbitrary apps. There is no authentication or ownership check on who is writing the commands.Instead of using
/tmp, the API endpoint should use$XDG_RUNTIME_DIR(usually/run/user/$UID, automatically set to0700by systemd) so only the current user has access. If that variable isn't set, falling back to a file or socket under~/.config/SLSsteam/is still much safer than/tmp.Ideally, it would be better to replace the file-watching logic entirely with a Unix domain socket. If you bind inside
$XDG_RUNTIME_DIR, you can useSO_PEERCREDon the accepted connection to check the peer's UID againstgeteuid()and drop the connection if they don't match.