MOO-cows Mailing List Archive


Re: [SECURITY] the basics? (was Re: force_input() and $do_command())

At 05:49 PM 07/07/96 PDT, Judy Anderson wrote:
>Hm.  Just occurred to me that the only way for a programmer to acquire
>a verb with !valid perms is to recycle emself.  This is a hard thing
>to do given all the security on chparent, recycle, etc., so perhaps
>this caller_perms thing isn't as dire as I first thought upon reading
>the message.  Any comments from those who've tried it elsemoo?  Am I
>deluding myself?  My true goal is to avoid doing an @grep on LambdaMOO
>for all the users of if (!valid(caller_perms()))...

The danger is that most MOOs do recycle characters, possibly leaving verbs
with invalid perms scattered around the DB.

I'll quote from the MOO security document currently at
but soon to be moved.

How do I do permissions-based security for a +x command line verb?
  The problem here is that you can't test caller_perms() on a command
line verb, since the perms will be #-1.    Note that this isn't a
problem for object-based security, since "caller" for a command line
verb will be the same as "player."  To test security on a +x command
line verb, replace "player" in a construct like:
     if (!$perm_utils:controls(player,this))
with an expression that will handle both command line and verb calls:
     if (!$perm_utils:controls( caller_perms()==#-1 ? player |
caller_perms() ) ,this))
If it is a command line call then caller_perms() will be #-1, and
"player" is used, otherwise "caller_perms()" is used.  Although using
instead of "caller_perms()==#-1" will also work, callers() is less efficient.
However, note that a verb can have an owner of #-1 if it's set that way by a
foolish wizard, 
which will foul this test.  In addition, if you use renumber() on your
database, verbs owned
by invalid ojects will get changed to perms #-1 which will also foul the
test.  Of course,
it also fouls the valid(caller_perms()) test.  Perhaps the renumber()
function should
be changed so that invalid object perms are changed to #-3 instead, but that's
beyond the area of this discussion.

How about using (valid(caller_perms()) instead of (caller_perms()==#-1)in 
the example just given?
  Special thanks to Rui Mendes for pointing out the hole in this one!
I will quote him:
    Create two characters, one creates the object, the other
    creates the verb.  Recycle the character which created the verb.
    Call the verb, valid(caller_perms() is false then, and "player"
    is used, creating a security hole.
Eric Mercer (EricM @ BioMOO, DU MOO and others)

Home | Subject Index | Thread Index