MOO-cows Mailing List Archive

Re: Means of gathering data

Date: Fri, 14 Jun 1996 13:22:34 PDT
From:
michael reece <sick@butterfly.net>
cc: MOO-Cows.PARC@xerox.com
Content-Type: text/plain; charset="us-ascii"

At 12:28 PM 6/14/96 PDT, Michael Moore wrote:
>Gustavo Glusman wrote:
>> 
>> Michael Moore wrote:
>> >Here is a dump of the Generic Tape Recorder I wrote for logging interviews
>> >on my MOO:
>> 
>> (snip)
>> 
>> >@chmod #1875:start rx
>> >@program #1875:start
>> >if (player.wizard)
>> >  if (this.on)
>> >    player:tell_with_subs("%T %<is> already recording.");
>> >  else
>> >    this.on = 1;
>> >    $you:say_action(this.start_msg);
>> >  endif
>> >else
>> >  return E_PERM;
>> >endif
>> >.
>> 
>> Please note that this verb, and many others in this dump, are insecure.
>> They are +x and check whether the 'player' is a wizard - not a good
>> combination!
>
>Please explain to me the nature of the insecurity.  To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run.  If that player's .wizard = 0 then
>they will get E_PERM.


  @program me:tell
  pass(@args);
  if (player.wizard)
    #1785:start();
  endif
  .

since your verb is +x, i can do this, and just getting a wizard to talk to
me will bypass your security. here's a standard check:

  if ((callers() ? caller_perms() | player).wizard) ...

-----
Michael Reece       sick@butterfly.net                  PGP Public Key
Deprogrammer        http://www.butterfly.net/sick/      available on
HuskyLabs, Inc.     http://www.butterfly.net/husky/     request.

Prev: Re: Means of gathering data
Next: Re: Means of gathering data (security)
Index: MOO-cows
Thread: MOO-cows

Home | Subject Index | Thread Index