Follow-up Comment #9, patch #2883 (project freeciv):

Sorry for the lack of response.

I've hesitated to reply because I'm not sure quite what our threat model for
server-side scripts actually is, and whether it's in fact any different from
the threat model for admin commands.

Thinking about it, as a server operator, I want to be able to install a
modpack from (say) the forum, and have a reasonably low risk that it's been
designed to pwn my system -- I don't want to feel I have to examine every line
of it. So yes, that is more restrictive than things on the command line
(assuming I don't run server scripts from the modpack without examining

I don't know if we're (in general) anywhere near there. Come to think of it,
didn't someone do some work on Lua sandboxing a while back? Yes -- englabenny
in bug #15624 -- looks like he was thinking the same as me.

As far as this particular issue goes, apart from a DoS, the most plausible
threat I've thought of is if some configuration file is denying access to
something, but if the relevant process can't read the file, it defaults to
allowing access; in that case, overwriting it with "random" (secfile) contents
could be a hole. Don't know any concrete examples.


Reply to this item at:


  Message sent via/by Gna!

Freeciv-dev mailing list

Reply via email to