Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
I've now closed two more security holes: 1. By setting an evil browser-app property and opening the browser help aircraft from questionable sources could execute arbitrary code in the calling shell under Unix: setprop(/sim/startup/browser-app, rm -rf ~ getprop(/sim/fg-home)); fgcommand(helpCb); This is no longer possible. The browser is ATM still started with system(), but the definition in preferences.xml is write protected and can only be overridden via --prop:sim/startup/browser-app command line option, but not by other XML files, such as aircraft *-set.xml files. Also, the string is evaluated before the first user-Nasal-code runs, while later changes to the property have no effect. (TODO: consider using (v)fork()/execvp() instead of system()) 2. One could use fgcommand() savexml to overwrite arbitrary writable XML files, and save to overwrite arbitrary writable files. That's not as dangerous as io.open() was, but an overwritten ~/.fgfs/autosave.xml or ~/.fgfs/preferences.xml would still be an annoyance.) Both are now treated the same way (and by the same code) as io.open(). save and load enforce an extension .sav (which traditionally was the extension for such files). Rules in $FG_ROOT/Nasal/IOrules restrict the use of these commands further. These changes close the last security holes that I was aware of. Note that the path checking is done by io.nas under Nasal even for the C++ parts. That made the most sense for now, as closing the holes had priority, but it doesn't mean that we have to stick with that approach. m. PS: all expoits are still possible under v1.0, so watch out! :-) - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
You could however limit every io.open to only have write access to a single directory as stated before, not allowing more sources...? Then you could skip the .xml extention checks? As this would disable any modification outside the predefined directory. It could be set to something like FG_ROOT\storage or something? But I think I might have missed what the problem is here... I read that it was something with prop-tree and networking... Limiting writes to some directories would limit the damage that could result, but itsn't it better to try to limit what the io can do when it's invoked from a network context? But then there was some references to whatever you could trust downloaded models, but you shouldn't download models if you don't trust the source...? /Sven Melchior FRANZ wrote: * Melchior FRANZ -- Monday 16 June 2008: * Erik Hofman -- Monday 16 June 2008: (What are the reasons to write to a file anyway?) Writing non-PropertyList XML files, like they are used in the traffic manager and for flight plans. Writing *.stg files (adding models or adjusting elevations for the current terrain). Writing an *.svg file with a graphic showing the flight path, or flight parameters. Or a smilie. Writing or modifying a PostScript file, for example to hand out to children on LinuxTag or flight shows, with flight time and duration automatically filled in. You could move that straight to the printer. (Caution: an attacker could empty your toner cartridge with that! ;-) Writing a TeX file with a table showing flight parameters, fuel consumption, whatever. None of this crucial, and all of it doable with external scripts from XML exported data. But the possibility to do it with Nasal drivers from within is nice. And something that other flight sims might not be able to do. Maybe something that our corporate users would like to do. They'll probably not download questionable aircraft from 3rd party sources. :-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
I've locked the system further down. If people desire, then we can disable any file access by default. At the moment writing should only be possible with pattern ~/.fgfs/Export/* and ~/.fgfs/Scenery/*.stg. m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Melchior FRANZ -- Monday 16 June 2008: I've locked the system further down. var read_rules = [ [root ~ /*, 1], [home ~ /*, 1], ]; var write_rules = [ [home ~ /Scenery/*.stg, 1], [home ~ /Export/*, 1], ]; The 1 means ALLOW, whereas 0 would mean DENY. You probably know that from other configuration files. That way you can say, for example: [root ~ /*.nas, 0], [root ~ /*, 1], to allow all files under $FG_ROOT, except *.nas files. (That's assuming that there aren't any bugs in string.match and string.fixpath, etc. ;-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
The rules are now read from $FG_ROOT/Nasal/IOrules or, if available, $FG_HOME/Nasal/IOrules. That way people who don't have write permission for $FG_HOME/Nasal/io.nas can still extend and modify the rules. The default is: READ ALLOW $FG_ROOT/* READ ALLOW $FG_HOME/* WRITE ALLOW $FG_HOME/Export/* This can be overridden with a file $FG_HOME/Nasal/IOrules that is either empty, or contains these rules: READ DENY * WRITE DENY * Should we use the more restrictive rules by default? Note, however, that file access via fgcommand() isn't affected by the rules at all. There's only an .xml extension enforced by, and it will abort if the file isn't a PropertyList. This should be safe enough. m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Ehlo ppl ;) Can't you just restrict the io to the $FG_HOME dir or something? And if the user (I doubt that John Doe needs this...) requires permissions some where else then he/she could tell fgfs that with a cmd line argument? like --io-read=/myDir --io-read=/tmp --io-write=/etc/passwd ? /Sven Melchior FRANZ wrote: * Melchior FRANZ -- Monday 16 June 2008: people who don't have write permission for $FG_HOME/Nasal/io.nas err ... $FG_ROOT/Nasal/io.nas READ ALLOW $FG_ROOT/* [...] This can be overridden with a file $FG_HOME/Nasal/IOrules that is either empty, or contains these rules: READ DENY * WRITE DENY * err ... it can be overridden with any rules. The important point is that a local file doesn't add to the global rules, but replace them. And an empty file or one with READ DENY *\nWRITE DENY * is the most restrictive you can have. m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Sven Almgren -- Monday 16 June 2008: Can't you just restrict the io to the $FG_HOME dir or something? Sure: READ ALLOW $FG_HOME/* WRITE ALLOW $FG_HOME/* like --io-read=/myDir --io-read=/tmp --io-write=/etc/passwd ? Any of the options overwrites a previous one with the same name, so one would have to rewrite parts of options.cxx for that. (Yes, one can have several --config= options, but that's a different story.) You could, however, list all pattern in one option, separated by a (semi)colon. But then it would be harder to quickly add a path for a test or something. One could, of course, use this instead: --prop:io-read=/myDir --prop:io-read[1]=/tmp ... But that would use the property tree, and then a malign *-set.xml file could sneak in whatever it wants. Though ne could work around that. An option --io-read would imply that this is a generic mechanism for all file IO, which it isn't. It's for Nasal's io.open() *only*, and handled in Nasal to 100%. Given the bunch of libraries it would be rather difficult to apply the checks to every file IO. You'd really have to use LD_PRELOAD, which won't work on MS Windows. In other words: yes, it could (and maybe should) be done with options. And I'd even review and possibly apply a patch that implements it. At least for now we should be reasonably safe from evil people and have time to find better solutions. :-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Melchior FRANZ -- Monday 16 June 2008: At least for now we should be reasonably safe from evil people and have time to find better solutions. BTW: Why the sudden paranoia? Not that we should have waited much longer for some security enhancements in any case, but the fact that there seem now to be web sites with random fgfs addons to download made me feel a bit uncomfortable. It was all too easy to cause quite some damage, and not everyone reviews the fgfs stuff he installs. Of course, it would be better to keep the official repositories as the central place for all sorts of scenery and aircraft addons, and not to rely on any outside source. And to review the stuff before committing. :-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Melchior FRANZ wrote: * Melchior FRANZ -- Monday 16 June 2008: At least for now we should be reasonably safe from evil people and have time to find better solutions. BTW: Why the sudden paranoia? Not that we should have waited much longer for some security enhancements in any case, but the fact that there seem now to be web sites with random fgfs addons to download made me feel a bit uncomfortable. It was all too easy to cause quite some damage, and not everyone reviews the fgfs stuff he installs. Of course, it would be better to keep the official repositories as the central place for all sorts of scenery and aircraft addons, and not to rely on any outside source. And to review the stuff before committing. :-) m. A little paranoia now and then can only be healthy ;) But as you said, you could use colons or commas for the list of files, like --prop:io-read=/myDir,/tmp,/dev/null or some other separator, like : or ;.Colon (:) is a bad idea as it would mess with windows paths that involves a drive:, you could use semi-colon (;) but that would require escaping on linux, if you don't do it like --prop:io-read=/myDir;/tmp;/dev/null;c:\windows\system32\sam. About the tree, you could use it like you saied, but that would be a hell to write, but I guess that would be a good solution otherwise... but parsing the line from above would also be doable, but I guess your tree names are more mainstream :P But can't you just restrict the io to a single directory and then let the users install their extensions there? or just export the entire FG_ROOT? But is this really needed? How does M$ flightsim extensions do? You have to trust the source somewhat, We could sneak in bad code in fgfs too, and ppl would run it anyway... Can the addoncreators be trustet as much as we can? Comments? - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
On Mon, 16 Jun 2008 15:40:54 +0200, Sven wrote in message [EMAIL PROTECTED]: Melchior FRANZ wrote: * Melchior FRANZ -- Monday 16 June 2008: At least for now we should be reasonably safe from evil people and have time to find better solutions. BTW: Why the sudden paranoia? Not that we should have waited much longer for some security enhancements in any case, but the fact that there seem now to be web sites with random fgfs addons to download made me feel a bit uncomfortable. It was all too easy to cause quite some damage, and not everyone reviews the fgfs stuff he installs. Of course, it would be better to keep the official repositories as the central place for all sorts of scenery and aircraft addons, and not to rely on any outside source. And to review the stuff before committing. :-) m. A little paranoia now and then can only be healthy ;) But as you said, you could use colons or commas for the list of files, like --prop:io-read=/myDir,/tmp,/dev/null or some other separator, like : or ;.Colon (:) is a bad idea as it would mess with windows paths that involves a drive:, you could use semi-colon (;) but that would require escaping on linux, if you don't do it like --prop:io-read=/myDir;/tmp;/dev/null;c:\windows\system32\sam. ..it's also possible to do our own thing, e.g. :: (2 colons): --prop:io-read=/myDir::/tmp::/dev/null::c:\windows\system32\sam or say : (a : plus 2 's, unless it breaks something) like: --prop:io-read=/myDir:/tmp:/dev/null:c:\windows\system32\sam building our own separator from more than one character, or even use one or more utf-8, e.g. the Norwedian letter å (a-ring) is pronounced awe just like the Norwegian og which btw means and in English, e.g.: --prop:io-read=/myDir:å:/tmp:å:/dev/null:å:c:\windows\system32\sam, I'm not aware of anyone using å: as a Microsoft drive name. ;o) About the tree, you could use it like you saied, but that would be a hell to write, but I guess that would be a good solution otherwise... but parsing the line from above would also be doable, but I guess your tree names are more mainstream :P But can't you just restrict the io to a single directory and then let the users install their extensions there? or just export the entire FG_ROOT? But is this really needed? How does M$ flightsim extensions do? You have to trust the source somewhat, We could sneak in bad code in fgfs too, and ppl would run it anyway... Can the addoncreators be trustet as much as we can? Comments? -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Melchior FRANZ wrote: It's well known that Nasal has an io module with wrappers around fopen(), fclose(), etc. An aircraft that you install, or even scenery objects with embedded Nasal could in the past use this to delete the contents of your whole home directory, or to append commands to ~/.bashrc, and thus execute code next time you open a shell! I must admit I haven't follow the thread completely, but I think the number of occasions where one would allow FlightGear to write anything to the disk is so small that it might be better to handle those cases with internal functions. In other words; Scripts are allowed to read anything but can only write using predefined functions. (What are the reasons to write to a file anyway?) Erik - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Melchior FRANZ wrote: * Sven Almgren -- Monday 16 June 2008: like --io-read=/myDir --io-read=/tmp --io-write=/etc/passwd ? One could, of course, use this instead: --prop:io-read=/myDir --prop:io-read[1]=/tmp ... I don't consider any command line option a security thread since writing to files can be done a lot easier than using FlightGear.. Any script that could write to the disk however is a security thread since not everybody (or probably no one) would check every file of a downloaded aircraft for security problems. Erik - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
It's funny that nobody cared a year long, and now that the danger is supposed to be banned, people get scared and nervous. :-} * Erik Hofman -- Monday 16 June 2008: (What are the reasons to write to a file anyway?) Writing non-PropertyList XML files, like they are used in the traffic manager and for flight plans. Writing *.stg files (adding models or adjusting elevations for the current terrain). m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Sven Almgren wrote: But is this really needed? How does M$ flightsim extensions do? You have to trust the source somewhat, We could sneak in bad code in fgfs too, and ppl would run it anyway... Can the addoncreators be trustet as much as we can? Sure. FlightGear is a local program, and software it loads from the local drive can certainly do local I/O if it wants without breaking typical security models. That's the whole idea behind being able to download software from the internet in the first place. :) My historical fear has been the interaction with the MP environment: the MP code can write to the property tree, and arbitrary property nodes have on various occasions be hooked to execute Nasal code. Being able to execute arbitrary Nasal code on another machine over the network would be a security disaster if that code could do I/O or spawn programs, etc... What Melchior has done is fine with me, architecturally. Ideally, I guess I'd prefer a sandbox on the other side: an architecture that expressly prevents network data from being executed somehow, probably by strictly limiting the areas in the property tree it can write to. But this kind of architecture can work too: it just requires that every potentially unsafe operation be sandboxed in the same way as I/O. Andy - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Melchior FRANZ -- Monday 16 June 2008: Writing non-PropertyList XML files, like they are used in the traffic manager and for flight plans. Correction: not for flight plans -- these are PropertyLists. But for the other stuff like parking files etc. The power of a system isn't defined by what is used, but by what can be done, and allowing scripts to write to the disk is a powerful feature. Dangerous if uncontrolled. But at the moment write access should only be possible to $FG_HOME/Export/, so I don't really see the problem. And if we offer the feature, people will find innovative ways to use it. If we don't, they won't. While we are at it, we could strip off a lot of other features that not many people use. What about SP_FDM, jpeg factory, the bits.nas library, UIUC, LaRCSim, ... m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Melchior FRANZ wrote: It's funny that nobody cared a year long, and now that the danger is supposed to be banned, people get scared and nervous. :-} I don't, I just though I could help here. Erik - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
Melchior FRANZ wrote: * Erik Hofman -- Monday 16 June 2008: (What are the reasons to write to a file anyway?) Writing non-PropertyList XML files, like they are used in the traffic manager and for flight plans. Maybe making sure the file ends with .xml could also help a lot. Erik - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Erik Hofman -- Monday 16 June 2008: Maybe making sure the file ends with .xml could also help a lot. io.nas:113: writexml() if(substr(path, -4) != .xml) path ~= .xml; fg_commands.cxx:1365: do_save_xml_from_proptree() if (file.extension() != xml) file.concat(.xml); Both added by me quite a while ago, if I may add. :-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Melchior FRANZ -- Monday 16 June 2008: * Erik Hofman -- Monday 16 June 2008: (What are the reasons to write to a file anyway?) Writing non-PropertyList XML files, like they are used in the traffic manager and for flight plans. Writing *.stg files (adding models or adjusting elevations for the current terrain). Writing an *.svg file with a graphic showing the flight path, or flight parameters. Or a smilie. Writing or modifying a PostScript file, for example to hand out to children on LinuxTag or flight shows, with flight time and duration automatically filled in. You could move that straight to the printer. (Caution: an attacker could empty your toner cartridge with that! ;-) Writing a TeX file with a table showing flight parameters, fuel consumption, whatever. None of this crucial, and all of it doable with external scripts from XML exported data. But the possibility to do it with Nasal drivers from within is nice. And something that other flight sims might not be able to do. Maybe something that our corporate users would like to do. They'll probably not download questionable aircraft from 3rd party sources. :-) m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
On 06/13/2008 05:01 AM, Melchior FRANZ wrote in part: The second change is in $FG_ROOT/Nasal/io.nas. It replaces the original io.open() with a version that checks for illegal write access to non-authorized directories. (Reading is allowed everywhere. Use the OS' permissions to prevent that.) The list of allowed directories is hard coded in io.nas: FG_HOME, /tmp/, /var/tmp/, [A-Za-z]:TMP/, [A-Za-z]:TEMP/, [A-Za-z]:/TMP/, [A-Za-z]:/TEMP/, Please tell me if this doesn't work for you, Does this work at all? I gather the goal is to make all malicious code harmless. Is it really true that writing to /tmp and /var/tmp is harmless? If so, you should publish this in the computer security literature. There are a lot of people who would like to know about it. For example, the Java VM Security Model flatly forbids writing to the local disk, and a lot of people would like to be able to lift this restriction. (There's more I could say about this, but I don't want to distract from the main point.) (Reading is allowed everywhere. Use the OS' permissions to prevent that.) Please explain this in more detail. For example, on ordinary Linux, what permissions should Joe User place on his personal financial files to make them unreadable by FGFS, and conversely what permissions should he place on his FG configuration files to make them readable? I can sorta see how to approach this using pseudousers for privilege separation. That is, for each user (Alice, Bob, Carol, etc.) you could have a pseudouser (AliceFG, BobFG, CarolFG, etc.) with separate privileges. Is that what is being proposed? - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
On Fri, Jun 13, 2008 at 2:01 PM, Melchior FRANZ [EMAIL PROTECTED] wrote: FG_HOME, /tmp/, /var/tmp/, [A-Za-z]:TMP/, [A-Za-z]:TEMP/, [A-Za-z]:/TMP/, [A-Za-z]:/TEMP/, Please tell me if this doesn't work for you, or if want more. You can add * as first entry to allow writing everywhere. Are TEMP/TMP dirs on MS Windows always in upper case letters? You might consider the TEMP and TMPDIR environment variables too. For example, on a (virtual) windows machine I have TEMP=c:\documents and settins\user\Local Settings\Temp, and no c:\temp (IIRC this was the default setup). There is a c:\windows\temp, however. Of course this is a non-issue if the nasal scripts don't try to write to these locations anyway. -- Csaba/Jester - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
On Fri, 13 Jun 2008 17:10:11 +0200, Csaba wrote in message [EMAIL PROTECTED]: On Fri, Jun 13, 2008 at 2:01 PM, Melchior FRANZ [EMAIL PROTECTED] wrote: FG_HOME, /tmp/, /var/tmp/, [A-Za-z]:TMP/, [A-Za-z]:TEMP/, [A-Za-z]:/TMP/, [A-Za-z]:/TEMP/, Please tell me if this doesn't work for you, or if want more. You can add * as first entry to allow writing everywhere. Are TEMP/TMP dirs on MS Windows always in upper case letters? You might consider the TEMP and TMPDIR environment variables too. For example, on a (virtual) windows machine I have TEMP=c:\documents and settins\user\Local Settings\Temp, and no c:\temp (IIRC this was the default setup). There is a c:\windows\temp, however. Of course this is a non-issue if the nasal scripts don't try to write to these locations anyway. ..one thing I remember from my final Wintendo95 days ten years ago, is how it would set a capital letter in the gui, e.g. C:\Tmp\Zippo.zip, but not in the file system, showing it up as e.g. /mnt/tmp/zippo.zip in SuSE-5.2. There may be more variants on those case playing games. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;o) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel
Re: [Flightgear-devel] [SECURITY] Nasal: io.open() restricted
* Csaba Halász -- Friday 13 June 2008: On Fri, Jun 13, 2008 at 2:01 PM, Melchior FRANZ [EMAIL PROTECTED] wrote: [A-Za-z]:TMP/, [A-Za-z]:TEMP/, [A-Za-z]:/TMP/, [A-Za-z]:/TEMP/, You might consider the TEMP and TMPDIR environment variables too. On Unix I'd even suggest to let io.open() write eveywhere *but* ~, with the exception of ~/.fgfs/, or even just ~/.fgfs/*/. But I have no clue if that would be acceptable on MS Windows, where most people seem to work as root. The whole tmp dir concept seems to be a mess on MS Windows. I assume that a set TMPDIR or TEMP is rather the exception, and that the real tmp dir is stored in the registry. Not exactly a place where I'd like to go. I'd rather use FG_HOME only, then. m. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Flightgear-devel mailing list Flightgear-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/flightgear-devel