MOO-cows Mailing List Archive


RE: Security... and stuff

>> Just wondering, but I know of people who /insist/ that it's not even okay
>> have a permission check using 'player' in a -x, command line verb. There
>> isn't any way to hack the player variable in a -x verb is there? What are
>> they talking about?

> This is, in fact, true.
> Up to LambdaMOO 1.8, it was guaranteed that a !x
> command was executed by "player".  
No.  The guarantee still exists in 1.8.  

What changes now that we have force_input() is that commands by "player"
no longer need to have arrived from the inbound connection corresponding
to "player".  This, in turn, is simply another instance of the
possibility of player commands not having been issued/typed by the
corresponding human, about which there have NEVER been any guarantees,
seeing as, e.g.,

   someone could be faking IP packets at the server
   the corresponding human could have
     left the terminal connected while off at lunch,
     given his/her password to someone,
     had his/her account cracked, etc...

force_input() is likewise undetectable from MOO code since the server
treats a command entered in this way EXACTLY as if it came in off of the
inbound connection.  "player" AND the entire call stack (callers() and
thus, caller/caller_perms()) are no different, and you are just as
screwed on +x verbs as -x verbs.

Since there's no way to detect in MOO code that a force_input (or any of
the other possibilities above) is occurring, your choices for making
your MOO code secure are
(1) take for granted that player *does* correspond to the correct human
(2) try to get some independent verification (e.g., the way @newpassword
    asks you for your old password)

Most of the time you'll go with (1) in which case the existence of
force_input won't affect how you code things.

Home | Subject Index | Thread Index