<!-- MHonArc v2.4.4 -->
<!--X-Subject: Re: System Security (was: Re: [MUD-Dev] players who "take away from the game") -->
<!--X-From-R13: X Q Znjerapr <pynjNpc.arg> -->
<!--X-Date: Thu, 11 Nov 1999 14:01:54 -0800 -->
<!--X-Message-Id: E11m2Hj-0008PC-00#under,eng.cp.net -->
<!--X-Content-Type: text/plain -->
<!--X-Reference: 199911110500.WAA05413@ami-cg.GraySage.Edmonton.AB.CA -->
<!--X-Head-End-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<title>MUD-Dev message, Re: System Security (was: Re: [MUD-Dev] players who "take away</title>
<!-- meta name="robots" content="noindex,nofollow" -->
<link rev="made" href="mailto:claw#cp,net">
</head>
<body background="/backgrounds/paperback.gif" bgcolor="#ffffff"
text="#000000" link="#0000FF" alink="#FF0000" vlink="#006000">
<font size="+4" color="#804040">
<strong><em>MUD-Dev<br>mailing list archive</em></strong>
</font>
<br>
[ <a href="../">Other Periods</a>
| <a href="../../">Other mailing lists</a>
| <a href="/search.php3">Search</a>
]
<br clear=all><hr>
<!--X-Body-Begin-->
<!--X-User-Header-->
<!--X-User-Header-End-->
<!--X-TopPNI-->
Date:
[ <a href="msg00214.html">Previous</a>
| <a href="msg00216.html">Next</a>
]
Thread:
[ <a href="msg00206.html">Previous</a>
| <a href="msg00217.html">Next</a>
]
Index:
[ <A HREF="author.html#00215">Author</A>
| <A HREF="#00215">Date</A>
| <A HREF="thread.html#00215">Thread</A>
]
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<H1>Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</H1>
<HR>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<UL>
<LI><em>To</em>: <A HREF="mailto:mud-dev#kanga,nu">mud-dev#kanga,nu</A></LI>
<LI><em>Subject</em>: Re: System Security (was: Re: [MUD-Dev] players who "take away from the game") </LI>
<LI><em>From</em>: J C Lawrence <<A HREF="mailto:claw#cp,net">claw#cp,net</A>></LI>
<LI><em>Date</em>: Thu, 11 Nov 1999 14:01:39 -0800</LI>
<LI><em>Reply-To</em>: <A HREF="mailto:mud-dev#kanga,nu">mud-dev#kanga,nu</A></LI>
<LI><em>Sender</em>: <A HREF="mailto:mud-dev-admin#kanga,nu">mud-dev-admin#kanga,nu</A></LI>
</UL>
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<HR>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<PRE>
On Wed, 10 Nov 1999 22:00:11 -0700
cg <cg#ami-cg,GraySage.Edmonton.AB.CA> wrote:
> [Eli Stevens:]
>> This got me wondering... :)
>>
>> What precautions should be taken when writing a MUD codebase from
>> scratch? Are most security holes that a MUD box might have at
>> the OS level, or does having a program like a MUD running open up
>> opportunities that would not otherwise exist (assuming that the
>> ability to issue OS commands and such is not a feature)?
> Aha! A technical issue! :-)
<<Oops>>
> Having a MUD running isn't a problem if you are careful in what
> you let the MUD server do. Obviously! The main thing is likely to
> be that of system and communications load. If you are careful to
> *not* provide any ways by which MUD players can issue system
> commands, there shouldn't really be any issues outside of the MUD
> itself. A MUD server simply presents a socket that people can talk
> to. If it never, however indirectly, allows stuff that comes from
> client sockets to end up uneditted in a system command, then it
> should be safe.
If you bind to a port less than 1024 on a Unix system your server
must run as root. Ergo, if there is a stack overflow ir similar
exploit in your server, an arbitrary user can obtain root access on
your system.
There are a couple simple ways to protect against this:
-- setuid() away from root for all portions of the code that don't
deal with the sokcet calls. You should do this sort of
setuid()/setgid() protection in any privileged code your write
anyway. Always. This leaves the exploint window inthe soket code
only, not your entire app/server.
-- Use a helper program which runs as root to do the privileged
socket IO which then communicates to the server which runs as a
non-priviledged user via some other stack.
Other concerns are discussed in the documents I referenced.
--
J C Lawrence Internet: claw#kanga,nu
----------(*) Internet: coder#kanga,nu
...Honorary Member of Clan McFud -- Teamer's Avenging Monolith...
_______________________________________________
MUD-Dev maillist - MUD-Dev#kanga,nu
<A HREF="http://www.kanga.nu/lists/listinfo/mud-dev">http://www.kanga.nu/lists/listinfo/mud-dev</A>
</PRE>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<HR>
<!--X-Follow-Ups-End-->
<!--X-References-->
<UL><LI><STRONG>References</STRONG>:
<UL>
<LI><STRONG><A NAME="00206" HREF="msg00206.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></STRONG>
<UL><LI><EM>From:</EM> cg#ami-cg,GraySage.Edmonton.AB.CA</LI></UL></LI>
</UL></LI></UL>
<!--X-References-End-->
<!--X-BotPNI-->
<UL>
<LI>Prev by Date:
<STRONG><A HREF="msg00214.html">Re: [MUD-Dev] MySQL as a MUD.</A></STRONG>
</LI>
<LI>Next by Date:
<STRONG><A HREF="msg00216.html">Re: [MUD-Dev] players who "take away from the game"</A></STRONG>
</LI>
<LI>Prev by thread:
<STRONG><A HREF="msg00206.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></STRONG>
</LI>
<LI>Next by thread:
<STRONG><A HREF="msg00217.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></STRONG>
</LI>
<LI>Index(es):
<UL>
<LI><A HREF="index.html#00215"><STRONG>Date</STRONG></A></LI>
<LI><A HREF="thread.html#00215"><STRONG>Thread</STRONG></A></LI>
</UL>
</LI>
</UL>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<ul><li>Thread context:
<BLOCKQUOTE><UL>
<LI><strong><A NAME="00203" HREF="msg00203.html">[MUD-Dev] associate producer/designer openings, and others: Maxis/EA</A></strong>,
Sellers, Michael <a href="mailto:MSellers#maxis,com">MSellers#maxis,com</a>, Thu 11 Nov 1999, 18:43 GMT
<LI><strong><A NAME="00205" HREF="msg00205.html">[MUD-Dev] Neverwinter Nights</A></strong>,
Koster, Raph <a href="mailto:rkoster#origin,ea.com">rkoster#origin,ea.com</a>, Thu 11 Nov 1999, 18:43 GMT
<UL>
<LI><strong><A NAME="00211" HREF="msg00211.html">Re: [MUD-Dev] Neverwinter Nights</A></strong>,
Dundee <a href="mailto:SkeptAck#antisocial,com">SkeptAck#antisocial,com</a>, Thu 11 Nov 1999, 19:02 GMT
</LI>
</UL>
</LI>
<LI><strong><A NAME="00206" HREF="msg00206.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>,
cg <a href="mailto:cg#ami-cg,GraySage.Edmonton.AB.CA">cg#ami-cg,GraySage.Edmonton.AB.CA</a>, Thu 11 Nov 1999, 18:43 GMT
<UL>
<LI><strong><A NAME="00215" HREF="msg00215.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>,
J C Lawrence <a href="mailto:claw#cp,net">claw#cp,net</a>, Thu 11 Nov 1999, 22:01 GMT
</LI>
</UL>
<UL>
<li><Possible follow-up(s)><br>
<LI><strong><A NAME="00217" HREF="msg00217.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>,
Bruce Mitchener, Jr. <a href="mailto:bruce#puremagic,com">bruce#puremagic,com</a>, Thu 11 Nov 1999, 22:33 GMT
</LI>
<LI><strong><A NAME="00222" HREF="msg00222.html">Re: System Security (was: Re: [MUD-Dev] players who "take away from the game")</A></strong>,
Cynbe ru Taren <a href="mailto:cynbe#muq,org">cynbe#muq,org</a>, Thu 11 Nov 1999, 23:05 GMT
</LI>
</UL>
</LI>
<LI><strong><A NAME="00204" HREF="msg00204.html">[MUD-Dev] MySQL as a MUD.</A></strong>,
Quzah <a href="mailto:quzah#hotmail,com">quzah#hotmail,com</a>, Thu 11 Nov 1999, 18:43 GMT
<UL>
<LI><strong><A NAME="00210" HREF="msg00210.html">Re: [MUD-Dev] MySQL as a MUD.</A></strong>,
Holly Sommer <a href="mailto:hsommer#micro,ti.com">hsommer#micro,ti.com</a>, Thu 11 Nov 1999, 19:02 GMT
</LI>
</UL>
</LI>
</UL></BLOCKQUOTE>
</ul>
<hr>
<center>
[ <a href="../">Other Periods</a>
| <a href="../../">Other mailing lists</a>
| <a href="/search.php3">Search</a>
]
</center>
<hr>
</body>
</html>