Re: Caller & Player

• Date: Wed, 17 Jul 1996 04:25:07 PDT
• From:
  Mentor <mentor@jinks.fe.up.pt>
• cc: moo-cows.PARC@xerox.com
• Content-Type: TEXT/PLAIN; charset=US-ASCII
• In-Reply-to: <Pine.SUN.3.91.960717100251.14192A-100000@barney.soi.city.ac.uk>

The following example is taken out of EricM@BioMOO@Diversity University 
security manual.

-- quotation start --

Why is it unacceptable to test "player" for security on +x verbs?
  I'll give an example. Loro the lazy wizard writes a +x verb that can 
recycle
any object and tests permissions with "if
(!$perm_utils:controls(player,this))" at the verb's beginning.  Semli the
sneaky programmer builds an object and adds a "tell" verb to it (ie. a 
verb that gets called any time someone in the same room speaks).  The 
"tell" verb calls Loro's +x verb and tells it to recycle all of Loro's 
objects.  Semli puts the object in Loro's room...and Loro gets a nasty 
surprise after connecting.  Neato eh!   Note that "player" will be the 
person speaking (Loro in this case), because "player" is set to whoever 
initiates the action, and can only be changed by wiz-permed verbs.  
Generally, it stays the same from the task's start to it's finish.  Now, 
if Loro had tested caller_perms(), then Semli's call would have been caught 
as one that  did not have permission to be recycling objects. Got it?

-- quotation end --

Cesar Manuel Silva Henriques
**********************************************************************
*"...the biggest, most urgent problems that a man as to solve are    *
*unvariably within himself and not around him." S. Francisco de Assis*
*                                                                    *
*"A crazy man is that who doesn't think before comiting a mad act ...*
*a mad man is that who thinks before, but does it even though ...    *
*i am a mad man" - Anonymous ... or not                              *
**********************************************************************


On Wed, 17 Jul 1996, Thomas LEVY wrote:

> 	Hi,
> Many security problems seem to be due to the difference between the 
> caller and the player. I mean, most of the verbs check the player.
> But, I can't really see the difference between Caller and Player object 
> while executing a verb.
> In the LambdaMOO Programmer's Manual, it is written that: "caller is an 
> object, the same as 'player'".
> Can somebody, explain me what I miss?
> 
> 	Thanks
> 	Thomas
> 
> 

• Re: Caller & Player
• From: Thomas LEVY <tlevy@soi.city.ac.uk>

• Caller & Player
• From: Thomas LEVY <tlevy@soi.city.ac.uk>

• Prev: Caller & Player
• Next: Re: Caller & Player
• Index: MOO-cows
• Thread: MOO-cows