Summary: [RFC] scripting: Sandbox Lua scripts
Submitted by: englabenny
Submitted on: söndag 2010-03-14 den 22:40
Severity: 3 - Normal
Priority: 1 - Later
Assigned to: None
Discussion Lock: Any
Operating System: None
Code executed in our Lua runtime has by default access to all builtin
lua functions and modules. These include functions to load lua files
or access the operating system.
As an example, a ruleset or scenario script could execute arbitrary
shell scripts (for example the 'uptime' program to use a harmless
example) using: os.execute("uptime"). Additionally the builtin module
io allows lua code to open and read/write files.
If we can, we should make freeciv rock-solid safe w.r.t scenario
scripts, they should be simple data, without security implications.
Otherwise a server administrator must scrutinize any custom ruleset
and scenarios before installing them. And users could experience
viruses in the form of freeciv scenarios or savegames.
Lua provides a method called "setfenv" that allows the caller to set
the environment a called function executes in. We set up a restricted
environment and execute ruleset/scenario code only inside this. In the
code, this restricted execution is carried out inside
script.c:script_call (which is now the only entry point for user
The setup of the restricted environment uses a whitelist of builtin
symbols (functions, values and modules) that we allow in the scripting
environment, defined in api.pkg, where we also have a comment:
We want to assure that
1) The script has no access to the operating system
(loadfile, os module, io module).
2) The script can not modify modules that freeciv's script runtime
uses, for example by diverting error handling routines or similar.
3) The script can not break out of the sandbox.
I have used this community resource as reference when picking builtins
Notice however that a normal freeciv script needs next to no builtins.
We don't forsee needing class and inheritance programming, so much of
lua's power can be turned off. The whitelist of builtins is thus
The sandbox construction assumes that all parts of our game api are
Date: söndag 2010-03-14 den 22:40 Name:
0001-scripting-Sandbox-Lua-scripts.patch Size: 8 kB By: englabenny
Reply to this item at:
Meddelandet skickades via/av Gna!
Freeciv-dev mailing list