URL: <http://gna.org/bugs/?15624>
Summary: [RFC] scripting: Sandbox Lua scripts Project: Freeciv Submitted by: englabenny Submitted on: söndag 2010-03-14 den 22:40 Category: general Severity: 3 - Normal Priority: 1 - Later Status: None Assigned to: None Originator Email: Open/Closed: Open Release: Discussion Lock: Any Operating System: None Planned Release: _______________________________________________________ Details: Code executed in our Lua runtime has by default access to all builtin lua functions and modules. These include functions to load lua files or access the operating system. As an example, a ruleset or scenario script could execute arbitrary shell scripts (for example the 'uptime' program to use a harmless example) using: os.execute("uptime"). Additionally the builtin module io allows lua code to open and read/write files. If we can, we should make freeciv rock-solid safe w.r.t scenario scripts, they should be simple data, without security implications. Otherwise a server administrator must scrutinize any custom ruleset and scenarios before installing them. And users could experience viruses in the form of freeciv scenarios or savegames. Lua provides a method called "setfenv" that allows the caller to set the environment a called function executes in. We set up a restricted environment and execute ruleset/scenario code only inside this. In the code, this restricted execution is carried out inside script.c:script_call (which is now the only entry point for user code). The setup of the restricted environment uses a whitelist of builtin symbols (functions, values and modules) that we allow in the scripting environment, defined in api.pkg, where we also have a comment: We want to assure that 1) The script has no access to the operating system (loadfile, os module, io module). 2) The script can not modify modules that freeciv's script runtime uses, for example by diverting error handling routines or similar. 3) The script can not break out of the sandbox. I have used this community resource as reference when picking builtins to whitelist: http://lua-users.org/wiki/SandBoxes Notice however that a normal freeciv script needs next to no builtins. We don't forsee needing class and inheritance programming, so much of lua's power can be turned off. The whitelist of builtins is thus small. The sandbox construction assumes that all parts of our game api are safe. _______________________________________________________ File Attachments: ------------------------------------------------------- Date: söndag 2010-03-14 den 22:40 Name: 0001-scripting-Sandbox-Lua-scripts.patch Size: 8 kB By: englabenny <http://gna.org/bugs/download.php?file_id=8531> _______________________________________________________ Reply to this item at: <http://gna.org/bugs/?15624> _______________________________________________ Meddelandet skickades via/av Gna! http://gna.org/ _______________________________________________ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev