Register forum user name Search FAQ

Gammon Forum

Notice: Any messages purporting to come from this site telling you that your password has expired, or that you need to verify your details, confirm your email, resolve issues, making threats, or asking for money, are spam. We do not email users with any such messages. If you have lost your password you can obtain a new one by using the password reset link.

Due to spam on this forum, all posts now need moderator approval.

 Entire forum ➜ MUSHclient ➜ Lua ➜ Sandbox - how's it supposed to function?

Sandbox - how's it supposed to function?

It is now over 60 days since the last post. This thread is closed.     Refresh page


Posted by Ked   Russia  (524 posts)  Bio
Date Thu 20 Nov 2008 07:25 PM (UTC)
Message
The "trusting" in Lua sandbox has had me confused for a long time, so I've decided to settle this and stop wiping out the sandbox after each fresh install once and for all. Here's the problem, in one of Nick's recent posts:

Quote:
Slightly safer is not to trust all plugins but instead add one line further down:

-- Plugin IDs of plugins we trust - add your plugins to the table

local trusted_plugins = {
[""] = "", -- trust main script (ie. if no plugin running)
["03ca99c4e98d2a3e6d655c7d"] = "Chat",
["982581e59ab42844527eec80"] = "Random_Socials",
["4a267cd69ba59b5ecefe42d8"] = "Installer_sumcheck",
["83beba4e37b3d0e7f63cedbc"] = "Reconnecter",
["35dfdbf3afc8cbf60c91277c"] = "xCreate_World_File", --> add this line
} -- end of trusted_plugins


But in my experience, and judging from the sandbox's code, this alone won't work. You'd have to also add the id of each world where this plugin is used to the list of trusted worlds, otherwise the block that checks for trusted worlds will kick in and sandbox the plugin regardless of whether the latter is trusted or not. But both the comments in the sandbox and Nick's post above imply that worlds and plugins should be checked for "trust" separately. Meaning, that if a plugin is trusted but a world it is loaded in is not, then the plugin shouldn't be sandboxed.

On the other hand, I can see a good reason to have the "trustworthyness" of a plugin depend on that of the world - it prevents someone from using one of the default id's, listed above, in his own plugin and thus bypassing the sandbox without the user knowing anything about it. On yet another (third) hand, if to trust a plugin you also have to trust its' world, then the moment you decide to trust any legit plugin, you open yourself up for this "default id" trick.

The only way to safeguard yourself against it is to keep any plugins you don't actually have installed off the "trust" list, since two plugins with the same id can't be loaded at the same time.

So, what did you have in mind, Nick? Please clarify.

To clarify my own view: I believe keeping plugins separate from worlds makes more sense than the way it works now. If you are interested, I have the code to implement it and could look into some way of enforcing the "only loaded plugins can be trusted" rule also.
Top

Posted by Nick Gammon   Australia  (23,133 posts)  Bio   Forum Administrator
Date Reply #1 on Thu 20 Nov 2008 08:27 PM (UTC)
Message
Well as you know, security is a compromise between level of security and ease of use.

You are right, judging by the code I wanted to have both the world and plugin trusted, however I can see an argument that a trusted plugin should run on an untrusted world - in fact this is what would happen if you distribute a plugin. The player still has to add the plugin to the trusted list, but you don't have the extra step of finding out their own world ID, and adding that to the trusted world list.

I don't see a big problem with a minor amendment to only check the world ID if you are *not* in a plugin. However this won't help existing users, as the sandbox is retained over MUSHclient upgrades, unless you uninstall and reinstall.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Ked   Russia  (524 posts)  Bio
Date Reply #2 on Thu 20 Nov 2008 08:43 PM (UTC)
Message
Quote:
However this won't help existing users, as the sandbox is retained over MUSHclient upgrades, unless you uninstall and reinstall.


What's stopping you from overwriting the sandbox on upgrade from the installer? But regardless of the answer, security is, as you've said - a compromise. Those who are worried about it will reinstall if needed, I certainly will, now that I know how it works and what I need to do exactly to use it properly.

In any case, here's the amended portion of the sandbox:

-- default is to sandbox everything --

-- To trust individual worlds or plugins, add them to the lists below.
                             
-- To find your current world ID, do this: /print (GetWorldID ())
-- Plugin IDs are mentioned near the start of every plugin.

-- You can limit the behaviour to specific worlds, or specific plugins
-- by doing something like this:

do

  -- World IDs of worlds we trust - replace with your world IDs
  --    (and remove comment from start of line)

  local trusted_worlds = {
 --    ["a4a1cc1801787ba88cd84f3a"] = true,  -- example world A
 --    ["cdc8552d1b251e449b874b9a"] = true,  -- example world B
 --    ["1ec5aac3265e472b97f0c103"] = true,  -- example world C
      }  -- end of trusted_worlds 

  -- Plugin IDs of plugins we trust - add your plugins to the table

  local trusted_plugins = {
     [""] = "",            -- trust main script (ie. if no plugin running)
     ["03ca99c4e98d2a3e6d655c7d"] = "Chat",  
     ["982581e59ab42844527eec80"] = "Random_Socials", 
     ["4a267cd69ba59b5ecefe42d8"] = "Installer_sumcheck",  
     ["83beba4e37b3d0e7f63cedbc"] = "Reconnecter",
     }  -- end of trusted_plugins 


  -- check the world script file
  --
  if not trust_all_worlds then
    -- if we aren't in a plugin and this world isn't trusted
    if (not trusted_worlds [GetWorldID ()])  and ((GetPluginID() == "")) then
        if warn_if_not_trusted then
            ColourNote ("yellow", "black", "Untrusted world " .. WorldName() ..
                        ", ID: " .. GetWorldID ())
        end -- if warn_if_not_trusted
        MakeSandbox ()
    end -- not trusted world
  end -- not trusting all worlds
  
  -- check plugins
  if not trust_all_plugins then
    if (trusted_plugins [GetPluginID()] ~= GetPluginName () ) and (GetPluginID() ~= "") then
        if warn_if_not_trusted then
            ColourNote ("yellow", "black", "Untrusted plugin " .. GetPluginName () .. 
                     ", ID: " .. GetPluginID ())
        end -- if warn_if_not_trusted
        MakeSandbox ()
    end -- not trusted plugin
  end -- if not trusting all plugins
  
end -- local block
Top

Posted by Nick Gammon   Australia  (23,133 posts)  Bio   Forum Administrator
Date Reply #3 on Fri 21 Nov 2008 01:38 AM (UTC)
Message
Quote:

What's stopping you from overwriting the sandbox on upgrade from the installer?


Because some people would have lengthy lists of trusted plugins and worlds in their sandbox. Or, some other behaviour, like loading things like LuaSocket.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

Posted by Ked   Russia  (524 posts)  Bio
Date Reply #4 on Fri 21 Nov 2008 03:16 PM (UTC)
Message
Then I just misread you, I suppose. I thought you meant that you can't overwrite the default sandbox, the one you get automatically when you erase the current one and reload the client.

Overwriting the user's sandbox on update would indeed be a very mean thing to do :)
Top

Posted by Nick Gammon   Australia  (23,133 posts)  Bio   Forum Administrator
Date Reply #5 on Sat 22 Nov 2008 02:06 AM (UTC)
Message
Oh sure, I can change the default sandbox.

- Nick Gammon

www.gammon.com.au, www.mushclient.com
Top

The dates and times for posts above are shown in Universal Co-ordinated Time (UTC).

To show them in your local time you can join the forum, and then set the 'time correction' field in your profile to the number of hours difference between your location and UTC time.


17,374 views.

It is now over 60 days since the last post. This thread is closed.     Refresh page

Go to topic:           Search the forum


[Go to top] top

Information and images on this site are licensed under the Creative Commons Attribution 3.0 Australia License unless stated otherwise.