<!-- MHonArc v2.4.4 --> <!--X-Subject: Re: System Security (was: Re: [MUD-Dev] players who "take away from the game") --> <!--X-From-R13: ptNnzv-pt.UenlEntr.Sqzbagba.OP.QO --> <!--X-Date: Thu, 11 Nov 1999 10:43:13 -0800 --> <!--X-Message-Id: 199911110500.WAA05413@ami-cg.GraySage.Edmonton.AB.CA --> <!--X-Content-Type: text/plain --> <!--X-Head-End--> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <html> <head> <title>MUD-Dev message, Re: System Security (was: Re: [MUD-Dev] players who "take away</title> <!-- meta name="robots" content="noindex,nofollow" --> <link rev="made" href="mailto:cg@ami-cg.GraySage.Edmonton.AB.CA"> </head> <body background="/backgrounds/paperback.gif" bgcolor="#ffffff" text="#000000" link="#0000FF" alink="#FF0000" vlink="#006000"> <font size="+4" color="#804040"> <strong><em>MUD-Dev<br>mailing list archive</em></strong> </font> <br> [ <a href="../">Other Periods</a> | <a href="../../">Other mailing lists</a> | <a href="/search.php3">Search</a> ] <br clear=all><hr> <!--X-Body-Begin--> <!--X-User-Header--> <!--X-User-Header-End--> <!--X-TopPNI--> Date: [ <a href="msg00204.html">Previous</a> | <a href="msg00205.html">Next</a> ] Thread: [ <a href="msg00246.html">Previous</a> | <a href="msg00215.html">Next</a> ] Index: [ <A HREF="author.html#00206">Author</A> | <A HREF="#00206">Date</A> | <A HREF="thread.html#00206">Thread</A> ] <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> <H1>Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</H1> <HR> <!--X-Subject-Header-End--> <!--X-Head-of-Message--> <UL> <LI><em>To</em>: <A HREF="mailto:mud-dev#kanga,nu">mud-dev#kanga,nu</A></LI> <LI><em>Subject</em>: Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</LI> <LI><em>From</em>: <A HREF="mailto:cg#ami-cg,GraySage.Edmonton.AB.CA">cg#ami-cg,GraySage.Edmonton.AB.CA</A></LI> <LI><em>Date</em>: Wed, 10 Nov 1999 22:00:11 -0700</LI> <LI><em>Reply-To</em>: <A HREF="mailto:mud-dev#kanga,nu">mud-dev#kanga,nu</A></LI> <LI><em>Sender</em>: <A HREF="mailto:mud-dev-admin#kanga,nu">mud-dev-admin#kanga,nu</A></LI> </UL> <!--X-Head-of-Message-End--> <!--X-Head-Body-Sep-Begin--> <HR> <!--X-Head-Body-Sep-End--> <!--X-Body-of-Message--> <PRE> [Eli Stevens:] > This got me wondering... :) > > What precautions should be taken when writing a MUD codebase from scratch? > Are most security holes that a MUD box might have at the OS level, or does > having a program like a MUD running open up opportunities that would not > otherwise exist (assuming that the ability to issue OS commands and such is > not a feature)? Aha! A technical issue! :-) Having a MUD running isn't a problem if you are careful in what you let the MUD server do. Obviously! The main thing is likely to be that of system and communications load. If you are careful to *not* provide any ways by which MUD players can issue system commands, there shouldn't really be any issues outside of the MUD itself. A MUD server simply presents a socket that people can talk to. If it never, however indirectly, allows stuff that comes from client sockets to end up uneditted in a system command, then it should be safe. Sometimes, however, the nature of how the MUD works requires that some portions of the MUD be able to issue system commands. For example, back when my server was AmigaMUD, I used to issue system commands from the MUD code in order to deliver email from MUD characters to normal email addresses. However, the player only controlled the destination email address, the email subject, and the email contents. The MUD code did nothing with any of those, other than to check that they were properly formed (in the case of the subject and destination). So, that should have been fairly safe. However, to show how careful you have to be, I think I just realized that I likely wasn't checking things carefully enough, and it could have been possible for someone to format my server hard drive for me. With the spread of the internet, I don't need to do that email/news stuff in my MUD anymore, so its not there. In fact, I don't think I currently use the ability to run system commands for anything other than an automated backup system, which includes only fixed commands. > Also, I am very curious about Kanga.Nu being "regularly attacked." Would > you (JCL or others) be able to describe the kind of attacks these usually > are? How you might prevent them from working, etc. :) Likely some fairly standard internet attacks at mostly well-known weaknesses. I'm not a security guru by any means, so I'll leave any more detail to JCL, if he even wants to be more specific. Read newsgroup comp.risks for high-level reports, and computer security newsgroups for lots of details. -- Don't design inefficiency in - it'll happen in the implementation. Chris Gray cg#ami-cg,GraySage.Edmonton.AB.CA <A HREF="http://www.GraySage.Edmonton.AB.CA/cg/">http://www.GraySage.Edmonton.AB.CA/cg/</A> _______________________________________________ MUD-Dev maillist - MUD-Dev#kanga,nu <A HREF="http://www.kanga.nu/lists/listinfo/mud-dev">http://www.kanga.nu/lists/listinfo/mud-dev</A> </PRE> <!--X-Body-of-Message-End--> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <HR> <ul compact><li><strong>Follow-Ups</strong>: <ul> <li><strong><A NAME="00215" HREF="msg00215.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong> <ul compact><li><em>From:</em> J C Lawrence <claw@cp.net></li></ul> </UL></LI></UL> <!--X-Follow-Ups-End--> <!--X-References--> <!--X-References-End--> <!--X-BotPNI--> <UL> <LI>Prev by Date: <STRONG><A HREF="msg00204.html">[MUD-Dev] MySQL as a MUD.</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg00205.html">[MUD-Dev] Neverwinter Nights</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg00246.html">Re: [MUD-Dev] Neverwinter Nights</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg00215.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="index.html#00206"><STRONG>Date</STRONG></A></LI> <LI><A HREF="thread.html#00206"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> <ul><li>Thread context: <BLOCKQUOTE><UL> <LI><strong><A NAME="00203" HREF="msg00203.html">[MUD-Dev] associate producer/designer openings, and others: Maxis/EA</A></strong>, Sellers, Michael <a href="mailto:MSellers@maxis.com">MSellers@maxis.com</a>, Thu 11 Nov 1999, 18:43 GMT <LI><strong><A NAME="00205" HREF="msg00205.html">[MUD-Dev] Neverwinter Nights</A></strong>, Koster, Raph <a href="mailto:rkoster@origin.ea.com">rkoster@origin.ea.com</a>, Thu 11 Nov 1999, 18:43 GMT <UL> <LI><strong><A NAME="00211" HREF="msg00211.html">Re: [MUD-Dev] Neverwinter Nights</A></strong>, Dundee <a href="mailto:SkeptAck@antisocial.com">SkeptAck@antisocial.com</a>, Thu 11 Nov 1999, 19:02 GMT </LI> </UL> <UL> <li><Possible follow-up(s)><br> <LI><strong><A NAME="00246" HREF="msg00246.html">Re: [MUD-Dev] Neverwinter Nights</A></strong>, S. Patrick Gallaty <a href="mailto:choke@sirius.com">choke@sirius.com</a>, Sat 13 Nov 1999, 18:06 GMT </LI> </UL> </LI> <LI><strong><A NAME="00206" HREF="msg00206.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>, cg <a href="mailto:cg@ami-cg.GraySage.Edmonton.AB.CA">cg@ami-cg.GraySage.Edmonton.AB.CA</a>, Thu 11 Nov 1999, 18:43 GMT <UL> <LI><strong><A NAME="00215" HREF="msg00215.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>, J C Lawrence <a href="mailto:claw@cp.net">claw@cp.net</a>, Thu 11 Nov 1999, 22:01 GMT </LI> </UL> <UL> <li><Possible follow-up(s)><br> <LI><strong><A NAME="00217" HREF="msg00217.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>, Bruce Mitchener, Jr. <a href="mailto:bruce@puremagic.com">bruce@puremagic.com</a>, Thu 11 Nov 1999, 22:33 GMT </LI> <LI><strong><A NAME="00222" HREF="msg00222.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>, Cynbe ru Taren <a href="mailto:cynbe@muq.org">cynbe@muq.org</a>, Thu 11 Nov 1999, 23:05 GMT </LI> </UL> </LI> <LI><strong><A NAME="00204" HREF="msg00204.html">[MUD-Dev] MySQL as a MUD.</A></strong>, Quzah <a href="mailto:quzah@hotmail.com">quzah@hotmail.com</a>, Thu 11 Nov 1999, 18:43 GMT </LI> </UL></BLOCKQUOTE> </ul> <hr> <center> [ <a href="../">Other Periods</a> | <a href="../../">Other mailing lists</a> | <a href="/search.php3">Search</a> ] </center> <hr> </body> </html>