Re: Means of gathering data

• Date: Fri, 14 Jun 1996 12:54:07 PDT
• From:
  tom@mvision.com (Tom Ritchford)
• Reply-To:
  tom@mvision.com
• In-Reply-To: <31C1BD4B.DB8@mail.datasys.net> (message from Michael Moore on Fri, 14 Jun 1996 12:28:11 PDT)

>Please explain to me the nature of the insecurity.  To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run.  If that player's .wizard = 0 then
>they will get E_PERM.

Wizards are constantly calling verbs owned by other non-wizard players,
just by looking at them or moving to their rooms, for example.

So, if a player embedded a call to that verb inside their
look_self and got a wizard to look at e, then the verb would
check that player.wizard == 1 and then perform the restricted
activity.

Typically, you wish to look at the permissions of the CALLING verb;
the verb that calls the current verb.

So, you'd say something like

if (!caller_perms().wizard)
  return E_PERM;
endif

to return an error if the calling verb didn't have wizard permissions.

Permissioning in MOO is not obvious but it does work very well
if you are careful.  (We once found a +w verb with wizard permissions
on Id... which had caused a severe security breach!)

    /t

Tom Ritchford     tom@mvision.com, tom@weirdos.com

Verge's "Little Idiot" -- Music for the mentally peculiar.
1-800-WEIRDOS            http://www.weirdos.com/verge

• Re: Means of gathering data
• From: Michael Moore <mike@mail.datasys.net>

• Prev: Re: Means of gathering data
• Next: Re: Means of gathering data
• Index: MOO-cows
• Thread: MOO-cows