subject:"\[Freeciv\-Dev\] \[bug #19729\] luasql \(database.lua\) threat model unclear, security measures get in the way"

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2017-05-03 Thread Marko Lindqvist

Update of bug #19729 (project freeciv):

Category:None => general
  Status:   Need Info => Duplicate  
 Assigned to:None => cazfi  
 Open/Closed:Open => Closed 

___

Follow-up Comment #7:

Handled at hostedredmine: https://www.hostedredmine.com/issues/657141

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2016-05-03 Thread Marko Lindqvist

Update of bug #19729 (project freeciv):

 Planned Release:   2.6.0 => 3.0.0  

___

Follow-up Comment #6:

> This is not currently listed in S2_6 d3f targets. Targeting to 3.0 instead?

So done.

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2016-01-20 Thread Marko Lindqvist

Follow-up Comment #5, bug #19729 (project freeciv):

This is *not* currently listed in S2_6 d3f targets. Targeting to 3.0 instead?
(Maybe we need to create Task for S3_0 d3f already so we can add dependencies
while we remember them)

___

Reply to this item at:

  

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2014-08-12 Thread Marko Lindqvist

Update of bug #19729 (project freeciv):

 Planned Release:   2.5.0 = 2.6.0  


___

Reply to this item at:

  http://gna.org/bugs/?19729

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2012-07-08 Thread Jacob Nevins

Update of bug #19729 (project freeciv):

 Planned Release: 2.4.0,2.5.0 = 2.5.0  
  Depends on: = bugs #19911

___

Follow-up Comment #4:

 (Perhaps the path change should be in its own ticket, leaving 
 this one for the wider discussion.)
I had to update the patch again, so I did create a new ticket: bug #19911.

___

Reply to this item at:

  http://gna.org/bugs/?19729

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2012-07-07 Thread Jacob Nevins

Follow-up Comment #3, bug #19729 (project freeciv):

Patch needed a little tweak; new (tested) ones attached.

So this installs to locations like /usr/local/etc/freeciv/database.lua. I
guess that makes sense; we're saying the server operator might want to tweak
this, so Debian would probably treat it as a conffile and put it in /etc (in
fact I've updated README.packaging to suggest this).

I agree we can live without a way to override the system database.lua for
now.

So, this seems like a reasonable position for 2.4, thanks. I can do something
dirty to get round the lack of Lua os.time() and thus complete the SQLite
support.

For 2.5, any objection to lifting some or all of the restrictions on the Lua
instance used for luasql?

(Perhaps the path change should be in its own ticket, leaving this one for the
wider discussion.)

(file #16014, file #16015)
___

Additional Item Attachment:

File name: trunk-dbluaLoc-bis.patch   Size:2 KB
File name: S2_4-dbluaLoc-bis.patchSize:3 KB


___

Reply to this item at:

  http://gna.org/bugs/?19729

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2012-07-04 Thread Marko Lindqvist

Follow-up Comment #1, bug #19729 (project freeciv):

Lets start to open this by stating that database.lua should not be in data
path. Most importantly it should not be searched like other data files
(meaning that even without overwriting the original one, it would be possible
to just place replacement on higher priority location), but it also should be
in place where files are not usually written (unpacking custom modpack to
datadir root or downloading it with freeciv-modpack should not be able to
overwrite it) Server operators should create separate mysql user for freeciv
that has no right to do anything else, but do they? In the worst case
attacker's database.lua gets access to other, non-freeciv, databases on the
server machine.

How important it's for non-root user to be able to write his/her own
database.lua, if root has anyway installed freeciv? Remember that until 2.4
people have lived without ability to have their own database.lua at all. Lets
make this most simple way for S2_4 by reading database.lua from one given
location (${sysconfdir}/freeciv/database.lua?) If really needed, we can add
support for overriding that database.lua in 2.5 with more time to test it
before release. One option for such a database.lua location is ~/.freeciv/
root (freeciv-modpack downloads to version specific subdirs, or to scenarios
subdir)

For beta1 we should have correct location for database.lua. Other things can
wait after the beta, or?

___

Reply to this item at:

  http://gna.org/bugs/?19729

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

2012-07-04 Thread Marko Lindqvist

Follow-up Comment #2, bug #19729 (project freeciv):

Untested patch to have database.lua in $sysconfdir/freeciv/. Untested since my
primary development machine is down and I don't have mysql setup on this one.
Can someone test?

Note that since $sysconfdir/freeciv is the only location database.lua is
looked from, it cannot be used directly from builddir.

(file #15976)
___

Additional Item Attachment:

File name: dbluaLoc.diff  Size:2 KB


___

Reply to this item at:

  http://gna.org/bugs/?19729

___
  Message sent via/by Gna!
  http://gna.org/


___
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

[Freeciv-Dev] [bug #19729] luasql (database.lua) threat model unclear, security measures get in the way

8 matches

Site Navigation

Mail list logo

Footer information