Re: [SECURITY] the basics? (was Re: force_input() and $do_command())

• Date: Mon, 8 Jul 1996 10:05:51 PDT
• From:
  Eric Mercer <mercere@netcom.ca>
• Content-Type: text/plain; charset="us-ascii"

At 05:49 PM 07/07/96 PDT, Judy Anderson wrote:
>Hm.  Just occurred to me that the only way for a programmer to acquire
>a verb with !valid perms is to recycle emself.  This is a hard thing
>to do given all the security on chparent, recycle, etc., so perhaps
>this caller_perms thing isn't as dire as I first thought upon reading
>the message.  Any comments from those who've tried it elsemoo?  Am I
>deluding myself?  My true goal is to avoid doing an @grep on LambdaMOO
>for all the users of if (!valid(caller_perms()))...

The danger is that most MOOs do recycle characters, possibly leaving verbs
with invalid perms scattered around the DB.

I'll quote from the MOO security document currently at
"ftp://ftp.cco.caltech.edu/pub/BioMOO/progger_help/MOOverb_security.txt"
but soon to be moved.
________

How do I do permissions-based security for a +x command line verb?
  The problem here is that you can't test caller_perms() on a command
line verb, since the perms will be #-1.    Note that this isn't a
problem for object-based security, since "caller" for a command line
verb will be the same as "player."  To test security on a +x command
line verb, replace "player" in a construct like:
     if (!$perm_utils:controls(player,this))
with an expression that will handle both command line and verb calls:
     if (!$perm_utils:controls( caller_perms()==#-1 ? player |
caller_perms() ) ,this))
If it is a command line call then caller_perms() will be #-1, and
"player" is used, otherwise "caller_perms()" is used.  Although using
"callers()"
instead of "caller_perms()==#-1" will also work, callers() is less efficient.
However, note that a verb can have an owner of #-1 if it's set that way by a
foolish wizard, 
which will foul this test.  In addition, if you use renumber() on your
database, verbs owned
by invalid ojects will get changed to perms #-1 which will also foul the
test.  Of course,
it also fouls the valid(caller_perms()) test.  Perhaps the renumber()
function should
be changed so that invalid object perms are changed to #-3 instead, but that's
beyond the area of this discussion.

How about using (valid(caller_perms()) instead of (caller_perms()==#-1)in 
the example just given?
  Special thanks to Rui Mendes for pointing out the hole in this one!
I will quote him:
    Create two characters, one creates the object, the other
    creates the verb.  Recycle the character which created the verb.
    Call the verb, valid(caller_perms() is false then, and "player"
    is used, creating a security hole.
________
Eric Mercer (EricM @ BioMOO, DU MOO and others)

• Prev: Re: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Next: Re: [SECURITY] the basics? (was Re: force_input() and $do_command())
• Index: MOO-cows
• Thread: MOO-cows