Nick Gammon said: It seems bizarre to me to be arguing for the removal of the sandbox, which effectively gives anyone who convinces a player to load a plugin complete control over their PC.
Put simply, despite its benefits to users of Lua plugins, it has a serious usability problem in that the user has to dig around in some obscure area, find the plugin's ID, find their world's ID, and edit them in. If the usability problem were addressed - i.e. a list dialog much like the trigger/alias/etc list, containing "trusted" plugins and their permissions - there wouldn't be nearly as much griping.
Nick Gammon said: So rather than arguing that since the back door lock is broken, we may as well leave the front door unlocked as well, perhaps we can address the real issues.
I've mentioned fixing the usability issue before, and there was no interest. Obviously it would be better to extend the security we have, but in lieu of making it less than a major hassle...
Nick Gammon said: The insecurity of VBscript and other WSH languages
This could be addressed by making the default to not allow those script languages at all (effectively sandboxing them out of existence). Then you would have to make a conscious decision to allow one. So for example, if you download a Python plugin, the player has to actively approve its use. There could be a message "warning - this script language gives uncontrolled access to your PC - do you want to allow this?".
This seems like an excellent and seemingly easy security measure to introduce.
Nick Gammon said: The annoyance of installing plugins from trusted players
This could be addressed by some sort of trust system (like security certificates from web sites). I'm hazy on how the details would work, but some sort of certification process that a trusted writer (eg. Twisol, Worstje) could easily generate, but that an unknown writer could not. Then MUSHclient could have a list of trusted script-writers that are automatically allowed to have plugins installed, including bypassing the existing sandbox.
These trusted certificates could be:
*Pre-installed; or
*Installed once per author when required; or
*Checked by querying the mushclient.com web site in some way (say, once per certificate)
This is also a good idea, but I'm similarly hazy on the details...
Nick Gammon said:I should mention in passing that I personally use the sandbox for other purposes than just security. For instance, if I put in it:
Then every world automatically has access to the tprint utility without it having to be loaded every time I want to check out a table.
I usually add that to my script file instead, but then I have very few worlds. I have a suggestion for making script file usage easier, but that's for another thread. |