URL:
<http://gna.org/bugs/?15624>
Summary: [RFC] scripting: Sandbox Lua scripts
Project: Freeciv
Submitted by: englabenny
Submitted on: söndag 2010-03-14 den 22:40
Category: general
Severity: 3 - Normal
Priority: 1 - Later
Status: None
Assigned to: None
Originator Email:
Open/Closed: Open
Release:
Discussion Lock: Any
Operating System: None
Planned Release:
_______________________________________________________
Details:
Code executed in our Lua runtime has by default access to all builtin
lua functions and modules. These include functions to load lua files
or access the operating system.
As an example, a ruleset or scenario script could execute arbitrary
shell scripts (for example the 'uptime' program to use a harmless
example) using: os.execute("uptime"). Additionally the builtin module
io allows lua code to open and read/write files.
If we can, we should make freeciv rock-solid safe w.r.t scenario
scripts, they should be simple data, without security implications.
Otherwise a server administrator must scrutinize any custom ruleset
and scenarios before installing them. And users could experience
viruses in the form of freeciv scenarios or savegames.
Lua provides a method called "setfenv" that allows the caller to set
the environment a called function executes in. We set up a restricted
environment and execute ruleset/scenario code only inside this. In the
code, this restricted execution is carried out inside
script.c:script_call (which is now the only entry point for user
code).
The setup of the restricted environment uses a whitelist of builtin
symbols (functions, values and modules) that we allow in the scripting
environment, defined in api.pkg, where we also have a comment:
We want to assure that
1) The script has no access to the operating system
(loadfile, os module, io module).
2) The script can not modify modules that freeciv's script runtime
uses, for example by diverting error handling routines or similar.
3) The script can not break out of the sandbox.
I have used this community resource as reference when picking builtins
to whitelist:
http://lua-users.org/wiki/SandBoxes
Notice however that a normal freeciv script needs next to no builtins.
We don't forsee needing class and inheritance programming, so much of
lua's power can be turned off. The whitelist of builtins is thus
small.
The sandbox construction assumes that all parts of our game api are
safe.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: söndag 2010-03-14 den 22:40 Name:
0001-scripting-Sandbox-Lua-scripts.patch Size: 8 kB By: englabenny
<http://gna.org/bugs/download.php?file_id=8531>
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?15624>
_______________________________________________
Meddelandet skickades via/av Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
