Summary: [RFC] scripting: Sandbox Lua scripts
                 Project: Freeciv
            Submitted by: englabenny
            Submitted on: söndag 2010-03-14 den 22:40
                Category: general
                Severity: 3 - Normal
                Priority: 1 - Later
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None
         Planned Release: 



Code executed in our Lua runtime has by default access to all builtin
lua functions and modules. These include functions to load lua files
or access the operating system.

As an example, a ruleset or scenario script could execute arbitrary
shell scripts (for example the 'uptime' program to use a harmless
example) using: os.execute("uptime"). Additionally the builtin module
io allows lua code to open and read/write files.

If we can, we should make freeciv rock-solid safe w.r.t scenario
scripts, they should be simple data, without security implications.
Otherwise a server administrator must scrutinize any custom ruleset
and scenarios before installing them. And users could experience
viruses in the form of freeciv scenarios or savegames.

Lua provides a method called "setfenv" that allows the caller to set
the environment a called function executes in. We set up a restricted
environment and execute ruleset/scenario code only inside this. In the
code, this restricted execution is carried out inside
script.c:script_call (which is now the only entry point for user

The setup of the restricted environment uses a whitelist of builtin
symbols (functions, values and modules) that we allow in the scripting
environment, defined in api.pkg, where we also have a comment:

    We want to assure that
    1) The script has no access to the operating system
       (loadfile, os module, io module).
    2) The script can not modify modules that freeciv's script runtime
       uses, for example by diverting error handling routines or similar.
    3) The script can not break out of the sandbox.

I have used this community resource as reference when picking builtins
to whitelist:


Notice however that a normal freeciv script needs next to no builtins.
We don't forsee needing class and inheritance programming, so much of
lua's power can be turned off. The whitelist of builtins is thus

The sandbox construction assumes that all parts of our game api are


File Attachments:

Date: söndag 2010-03-14 den 22:40  Name:
0001-scripting-Sandbox-Lua-scripts.patch  Size: 8 kB   By: englabenny



Reply to this item at:


  Meddelandet skickades via/av Gna!

Freeciv-dev mailing list

Reply via email to