Re: Means of gathering data

• Date: Fri, 14 Jun 1996 13:00:46 PDT
• From:
  Gustavo Glusman <bmgustav@bioinformatics.weizmann.ac.il>
• cc: MOO-Cows.parc@xerox.com
• Content-Type: text/plain; charset="us-ascii"
• In-Reply-to: <31C1BD4B.DB8@mail.datasys.net>
• References: <Pine.SUN.3.92.960610135034.10192A-100000@merv.cs.nyu.edu> <v03006f03ade765417f56@[132.76.55.130]>

>> Please note that this verb, and many others in this dump, are insecure.
>> They are +x and check whether the 'player' is a wizard - not a good
>> combination!
>
>Please explain to me the nature of the insecurity.  To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run.  If that player's .wizard = 0 then
>they will get E_PERM.

Your assumptions are correct, but consider the following case: a malicious
programmer can do something like -

@verb me:tell tnt
@prog me:tell
if (player.wizard)
  fork (1);
    {object, verbname, newargs} = suspend();
    object:(verbname)(@newargs);
  endfork
endif
return pass(@args);
<end>

Then, once somewiz tells him/her something, the programmer owns a suspended
task for which player.wizard is true. Next thing the programmer has to do
resume() that task, passing it suitable arguments, e.g. {your-recorder,
"start", {}}.
There are simpler ways, but this one gives an idea of how such a malicious
programmer could keep one or many such tasks, to be used at will later on,
e.g. when said wizard is not online anymore.

>Is there some wiz-owned core code I don't know about that changes 'player'
>to a wizard then executes other verbs with impunity?  I would point to _that_
>code as being a security leak.

Agreed.

>I wanted the code to be +x so wizards could write code of their own that
>could call these verbs, and I checked .wizard because I wanted these things
>to be wiz-only, period.

Executable verbs should typically check what the caller_perms() are. There
are some treatises on verb security around, good reading any time. :)

-------------------------------------------------------------
Gustavo Glusman               Founder/administrator of BioMOO
-- Gustavo@bioinformatics.weizmann.ac.il
-- http://bioinformatics.weizmann.ac.il/Gustavo
-- BioMOO: telnet bioinformatics.weizmann.ac.il 8888
           WWW:   http://bioinfo.weizmann.ac.il/BioMOO

• Re: Means of gathering data
• From: Michael Moore <mike@mail.datasys.net>

• Means of gathering data
• From: Irina Sadomova <irina@merv.cs.nyu.edu>
• Re: Means of gathering data
• From: Gustavo Glusman <bmgustav@bioinformatics.weizmann.ac.il>
• Re: Means of gathering data
• From: Michael Moore <mike@mail.datasys.net>

• Prev: Re: Means of gathering data
• Next: Re: Means of gathering data
• Index: MOO-cows
• Thread: MOO-cows