MazorNoob Posted July 7, 2023 Report Share Posted July 7, 2023 As a newbie admin I was surprised to learn that there exists a /moddb command that allows anyone with server admin role to install and remove mods. That immediately got me thinking: * Doesn't it trivially lead to a limited privilege escalation, from a player with an admin role to being able to do anything on the target box as the user that's running the server? Just push a malicious harmony mod to the db, install it on the server with /moddb and you're done. I don't think VS moddb is moderated to en extent that such an attack would be impossible. * If that's the case, is there a way to disable the moddb command for all users, including admin? I don't run my server as root of course, but I'd still rather not have any admin I appoint snooping around the box as a regular user either. I'd also rather have admin be unable to do that either, in case vs ever has an exploit that gives a user admin rights. Link to comment Share on other sites More sharing options...
Thorfinn Posted July 7, 2023 Report Share Posted July 7, 2023 Why not just limit who you give admin access to? Or are you getting at that there should be a separate Moderator class with a limited subset of admin privileges? I'm pretty sure you can do that through /role and /player. At least in a different voxel game (no, not THAT voxel game) that was exactly how it was done. By default, there were only Admin and Player classes. Any other classes you wanted were defined at the console, or, ideally, in the config. Link to comment Share on other sites More sharing options...
MazorNoob Posted July 7, 2023 Author Report Share Posted July 7, 2023 There's a difference between "this player can administrate the server" and "this player can put nasty things into server user's .bashrc and ~/.local/bin". Link to comment Share on other sites More sharing options...
Thorfinn Posted July 7, 2023 Report Share Posted July 7, 2023 But "administrate the server" just means moderator, right? You are not talking administrating the physical box or even the OS, but rather just this instance of VirtualstoryServer, right? Admittedly, I'm not a Unix guy, so I don't know what that word entails in your system. In Windows, Admin is a special, near-root level access. No user (including Admin) and very few processes would have unrestricted root level access in any reasonably designed system. And VS cannot grant you system privileges greater than whatever your process is logged in as. On a VS-Admin login (which has r/w permissions to only the VS directory, the mods directory (likely a subdirectory of VS) and wherever the SQL is (again, for ease, likely within the VS directory)) the OS itself would prevent more than corruption of the world and deletion of game files. I do agree, though, that I would not grant anyone else Admin until I was absolutely sure you couldn't do some buffer overflow trick or pull a Bobby Tables and do something you should not be able to in a properly designed system. It's not like Moderators really need to be updating mods regularly anyway. Those can wait until the superuser is on. Link to comment Share on other sites More sharing options...
MazorNoob Posted July 7, 2023 Author Report Share Posted July 7, 2023 There's a few terms here: * VS admin is the "admin" role of the player. You can send commands to the server and the server lets you do "anything". That doesn't mean letting the server process execute arbitrary code, only having the server do what it's written to do. * Server user is the user that the VS server is running as on the box. Think of it as a user account on Windows. It can do some things, can't do others. * Root is the administrator on the box. It can do anything. My concern is elevating privileges from the first point to the second. Mods that hook up to the game via Harmony could in principle do anything, so a VS admin that can install a mod can make the server run arbitrary code, meaning he can do anything as the user running it. It's not catastrophic, but annoying. Link to comment Share on other sites More sharing options...
Thorfinn Posted July 7, 2023 Report Share Posted July 7, 2023 Fair. That's how I figured it worked. Should be able to lock it down tight enough by only granting the vs directory to the user the server is running under. Everything else on your box is off limits to him. A moderator is mostly dealing with booting griefers, maybe removing a rift if some n00b is having problems with one just outside his Chateau de Terre or things of that nature. He doesn't really need to be able to do block id remapping or query block ids or run a stacktrace, like a real admin might. Once VS is out of early access, it would not surprise me if that is incorporated. But for the moment, if you don't think you can trust the people you trust, you have the tools to fix it. Link to comment Share on other sites More sharing options...
Recommended Posts