Re: Security... and stuff

• Date: Thu, 18 Jul 1996 11:54:31 PDT
• From:
  "Seth I. Rich" <sir@po.cwru.edu>
• Cc: moo-cows@parc.xerox.com
• Content-Type: text/plain; charset="us-ascii"

>Just wondering, but I know of people who /insist/ that it's not even okay to
>have a permission check using 'player' in a -x, command line verb. There
>isn't any way to hack the player variable in a -x verb is there? What are
>they talking about?

This is, in fact, true.  Up to LambdaMOO 1.8, it was guaranteed that a !x
command was executed by "player".  LambdaMOO 1.8 introduced a server builtin
called `force_input()' which now allows wizards to "spoof" commands by other
players in an undetectable fashion.  While before, a security hole (wizardly
or not) had limited (although perhaps fatal) ways to be abused, now a hole
which permits arbitrary evals can do -anything- the cracked player can do,
and can do it undetectably.

That aside, however, this is easily patchable.  If your MOO has a 
$server_options object (which it probably does), add the property 
"protect_force_input" and give it a true value.  Then add as a callable
verb #0:bf_force_input which contains only the line `raise(E_PERM);'.
This hole will be patched, and only may be abused by wizards who do so
intentionally.

In general, however, !x verbs are sufficiently secure that "player" may
be used.  The force_input() considerations don't come into play that
frequently -- only for super-paranoid secure systems.

Seth
----------------------------------------------------------------------
Seth I. Rich - sir@po.cwru.edu
                                 There is nothing more precious than
Rabbits on walls, no problem.    a tear of true repentance.

• Re: Security... and stuff
• From: Richard Godard <janus@cam.org>

• Prev: Security... and stuff
• Next: Re: Security... and stuff
• Index: MOO-cows
• Thread: MOO-cows