| Time |
Nick |
Message |
| 00:15 |
|
v-rob joined #minetest |
| 00:30 |
|
Alias2 joined #minetest |
| 00:32 |
|
Soni joined #minetest |
| 00:34 |
|
Hawk777 joined #minetest |
| 01:32 |
|
garywhite1 joined #minetest |
| 01:34 |
|
Guest2 joined #minetest |
| 01:36 |
|
Guest2 joined #minetest |
| 01:43 |
|
Guest41 joined #minetest |
| 01:43 |
Guest41 |
Hello |
| 01:47 |
MTDiscord |
<Jonathon> hi |
| 02:02 |
|
Elzington joined #minetest |
| 02:34 |
|
est joined #minetest |
| 03:06 |
|
sagax joined #minetest |
| 03:28 |
|
queria joined #minetest |
| 03:33 |
|
queria joined #minetest |
| 03:43 |
|
TempestMancer joined #minetest |
| 04:34 |
|
v-rob joined #minetest |
| 04:46 |
|
seanthebuilder1 joined #minetest |
| 05:00 |
|
MTDiscord joined #minetest |
| 05:27 |
|
MTDiscord joined #minetest |
| 05:27 |
|
seanthebuilder1 joined #minetest |
| 05:27 |
|
v-rob joined #minetest |
| 05:27 |
|
TempestMancer joined #minetest |
| 05:27 |
|
queria joined #minetest |
| 05:27 |
|
sagax joined #minetest |
| 05:27 |
|
Elzington joined #minetest |
| 05:27 |
|
Hawk777 joined #minetest |
| 05:27 |
|
Soni joined #minetest |
| 05:27 |
|
Alias2 joined #minetest |
| 05:27 |
|
Wikiwide joined #minetest |
| 05:27 |
|
Taoki joined #minetest |
| 05:27 |
|
Extex joined #minetest |
| 05:27 |
|
specing joined #minetest |
| 05:27 |
|
olliy joined #minetest |
| 05:27 |
|
hook54321 joined #minetest |
| 05:27 |
|
jvalleroy joined #minetest |
| 05:27 |
|
riff-IRC joined #minetest |
| 05:27 |
|
frostsnow joined #minetest |
| 05:27 |
|
illwieckz joined #minetest |
| 05:27 |
|
Peppy joined #minetest |
| 05:27 |
|
bwarden joined #minetest |
| 05:27 |
|
bgg joined #minetest |
| 05:27 |
|
lumidify joined #minetest |
| 05:27 |
|
valhalla joined #minetest |
| 05:27 |
|
clavi joined #minetest |
| 05:27 |
|
kevinsan joined #minetest |
| 05:27 |
|
comrad joined #minetest |
| 05:27 |
|
iamweasel joined #minetest |
| 05:27 |
|
Cork joined #minetest |
| 05:27 |
|
x_ joined #minetest |
| 05:27 |
|
nuala joined #minetest |
| 05:27 |
|
Krock joined #minetest |
| 05:27 |
|
adam_mc joined #minetest |
| 05:27 |
|
search_s1cial joined #minetest |
| 05:27 |
|
MiniontobyPI joined #minetest |
| 05:27 |
|
sy joined #minetest |
| 05:27 |
|
macaw joined #minetest |
| 05:27 |
|
ghoti joined #minetest |
| 05:27 |
|
\ joined #minetest |
| 05:27 |
|
Sokomine joined #minetest |
| 05:27 |
|
dunj3 joined #minetest |
| 05:28 |
|
AndrewYu joined #minetest |
| 05:29 |
|
wolfshappen joined #minetest |
| 05:30 |
|
chilledfrogs joined #minetest |
| 05:32 |
|
hook54321 joined #minetest |
| 05:37 |
|
Edgy2 joined #minetest |
| 05:38 |
|
jfindlay joined #minetest |
| 05:40 |
|
rogerm[m] joined #minetest |
| 05:50 |
|
Bombo joined #minetest |
| 05:50 |
|
Evil joined #minetest |
| 05:50 |
|
TomTom joined #minetest |
| 05:50 |
|
copygirl joined #minetest |
| 05:50 |
|
Bombo joined #minetest |
| 05:51 |
|
nore joined #minetest |
| 05:51 |
|
beanzilla joined #minetest |
| 05:51 |
|
simon816 joined #minetest |
| 05:57 |
|
specing_ joined #minetest |
| 05:58 |
|
mister-e[m] joined #minetest |
| 06:01 |
|
riff-IRC joined #minetest |
| 06:50 |
|
seanthebuilder1 joined #minetest |
| 07:15 |
|
CWz_ joined #minetest |
| 07:54 |
|
calcul0n joined #minetest |
| 08:10 |
|
v-rob joined #minetest |
| 08:13 |
|
v-rob joined #minetest |
| 08:20 |
|
peterz joined #minetest |
| 08:25 |
|
est31 joined #minetest |
| 08:54 |
|
riff-IRC joined #minetest |
| 09:11 |
|
est31 joined #minetest |
| 09:13 |
|
v-rob joined #minetest |
| 09:46 |
|
tech_exorcist joined #minetest |
| 10:07 |
|
seanthebuilder1 joined #minetest |
| 10:26 |
|
AwesomeAdam54321 joined #minetest |
| 10:39 |
|
Fixer joined #minetest |
| 10:40 |
|
AwesomeAdam54321 left #minetest |
| 10:56 |
|
AristotIe joined #minetest |
| 11:04 |
|
proller joined #minetest |
| 11:05 |
|
jvalleroy joined #minetest |
| 11:05 |
|
jvalleroy joined #minetest |
| 11:06 |
|
jvalleroy joined #minetest |
| 11:08 |
|
jvalleroy joined #minetest |
| 11:18 |
|
bgg joined #minetest |
| 11:18 |
|
bgg joined #minetest |
| 11:25 |
|
bgg_ joined #minetest |
| 11:41 |
|
Tarap-- joined #minetest |
| 12:03 |
|
tech_exorcist joined #minetest |
| 12:31 |
|
kilbith joined #minetest |
| 12:32 |
kilbith |
we've got a winner here: https://content.minetest.net/threads/1563/ |
| 12:32 |
|
proller joined #minetest |
| 12:45 |
sfan5 |
storing the http api in a global variable does seem unwise |
| 12:47 |
kilbith |
is someone able to demonstrate some practical examples of security exploits? |
| 12:47 |
kilbith |
because for instance, I haven't seen it |
| 12:47 |
rubenwardy |
that is a security issue, it effectively disables secure.http_mods |
| 12:47 |
kilbith |
skinsdb is storing http in a global too |
| 12:47 |
kilbith |
in the mod namespace as well |
| 12:47 |
kilbith |
like many other mods |
| 12:47 |
rubenwardy |
it's not as bad as exposing insecure environments, but it's not good practice |
| 12:49 |
kilbith |
so a mod could exploit i3.http without being registered in secure.http_mods, correct? |
| 12:50 |
kilbith |
if that so, what kind of data could be exploited? how dangerous it could be for the user? |
| 12:54 |
rubenwardy |
the setting exists so that users can be informed about which mods have internet access, as this in itself has performance/privacy/security concerns |
| 12:54 |
rubenwardy |
other mods making the same mistake isn't an excuse |
| 12:55 |
kilbith |
if by "sensible data" you mean you can http-send that "one player has 10 diamonds in some chest", I can only laugh at that |
| 12:55 |
rubenwardy |
I'd like there to be a dialog for HTTP mods at Select Mod time |
| 12:55 |
kilbith |
* sensitive |
| 12:55 |
|
GNUHacker joined #minetest |
| 12:55 |
rubenwardy |
and the ability to request_http_api() from a dofile |
| 12:56 |
rubenwardy |
the latter one would make it more convenient to not store it in a global |
| 12:58 |
sfan5 |
if you'd like a more realistic example a mod could leak chat and/or private message |
| 12:58 |
kilbith |
waaaw |
| 12:58 |
sfan5 |
or track user's IPs and send them somewhere |
| 12:58 |
sfan5 |
or misuse the server's computing power to minute whatever cryptocurrency |
| 12:59 |
kilbith |
but websites are already tracking our IPs |
| 12:59 |
sfan5 |
you seem to think that is an excuse |
| 12:59 |
kilbith |
private messages or chat = lol |
| 13:00 |
sfan5 |
it's okay if you do not care about your users privacy but then you should state that clearly in the README |
| 13:00 |
kilbith |
Minetest isn't the place to share some confidential data about your lofe |
| 13:00 |
kilbith |
life |
| 13:01 |
sfan5 |
like I said just state it in your readme so your users are informed |
| 13:01 |
sfan5 |
they can then judge themselves whether they agree |
| 13:02 |
rubenwardy |
btw, to pass secure object into another dofile you can do: `assert(loadfile(path .. "file.lua"))(http_api)` |
| 13:02 |
rubenwardy |
then `local http = ...` |
| 13:02 |
rubenwardy |
if you have more than one thing you want to be local to your mod, you can make a `local shared` in the mod's init.lua |
| 13:04 |
kilbith |
`local shared`? |
| 13:04 |
|
sy joined #minetest |
| 13:04 |
kilbith |
never heard of that |
| 13:04 |
kilbith |
you are not saying that `shared` is a Lua keyword, right? |
| 13:05 |
rubenwardy |
I mean `local shared = { http = minetest.request_http_api(), other_thing = 3 }` |
| 13:06 |
sfan5 |
rubenwardy: btw have you considered CDB running an automated test with the mod installed? |
| 13:06 |
sfan5 |
(not related to this, just in general) |
| 13:08 |
rubenwardy |
I have yeah |
| 13:09 |
rubenwardy |
my problem with that would be running untested code, even if Minetest has a sandbox |
| 13:09 |
rubenwardy |
would also require a CLI interface for installing the mods, with the dependencies |
| 13:09 |
rubenwardy |
but it's possible |
| 13:09 |
rubenwardy |
you could have a different VPS for untrusted mods I guess |
| 13:09 |
rubenwardy |
s/untrusted mods/testing the mods/ |
| 13:10 |
sfan5 |
containers / OS sandboxes? |
| 13:15 |
sfan5 |
if you need inspiration there's this https://github.com/minetest/minetest/blob/master/util/test_multiplayer.sh |
| 13:15 |
sfan5 |
even less code if you test without a client |
| 13:19 |
|
tech_exorcist joined #minetest |
| 13:19 |
|
definitelya joined #minetest |
| 13:24 |
|
GNUHacker left #minetest |
| 13:43 |
|
SuperMiner joined #minetest |
| 14:19 |
|
kamdard joined #minetest |
| 14:20 |
|
Fixer_ joined #minetest |
| 14:57 |
|
Taoki joined #minetest |
| 14:59 |
|
Teckla joined #minetest |
| 15:23 |
|
Guest88 joined #minetest |
| 15:29 |
|
peterz joined #minetest |
| 15:34 |
|
peterz joined #minetest |
| 16:01 |
|
Hawk777 joined #minetest |
| 16:39 |
|
Fleckenstein joined #minetest |
| 17:12 |
|
Extex joined #minetest |
| 17:25 |
MTDiscord |
<luatic> Minetest mod security is a scam |
| 17:25 |
MTDiscord |
<luatic> Let one mod out of the sandbox and they will all be able to |
| 17:33 |
celeron55 |
it's not a scam, it's just what has been possible with the resources we have had |
| 17:33 |
celeron55 |
also, can someone point me to a game that sandboxes each of its mods individually |
| 17:47 |
|
garywhite joined #minetest |
| 17:47 |
|
garywhite joined #minetest |
| 17:49 |
MTDiscord |
<luatic> There are |
| 17:49 |
MTDiscord |
<luatic> And it would have been possible in Lua if a proper interface for require had been created and each mod were loaded in it's own environment |
| 17:52 |
MTDiscord |
<luatic> The current problem is that everything goes through a possibly dirty global table. Builtins, which are essential for even loading your code (unless it's all in init.lua), callbacks, Minetest engine functions, everything. |
| 17:57 |
erlehmann |
come on |
| 17:57 |
|
specing_ joined #minetest |
| 17:57 |
erlehmann |
as soon as you have turing complete stuff you can't effectively sandbox it |
| 17:57 |
erlehmann |
minetest could improve, yeah |
| 17:57 |
erlehmann |
but stop claiming sandboxing solves everything |
| 17:58 |
erlehmann |
luatic as long as mod code can overflow the stack on the server or cause integer overflows, mod security should be the least of worries |
| 17:59 |
erlehmann |
i mean as long as you are not running 5.3 |
| 18:00 |
erlehmann |
luatic but if you are running 5.3 users can probably take over your server in other ways than injecting lua … |
| 18:20 |
|
___nick___ joined #minetest |
| 18:21 |
|
Talkless joined #minetest |
| 18:22 |
|
___nick___ joined #minetest |
| 18:23 |
sfan5 |
ah yes, the eternal RCE meme |
| 18:24 |
|
___nick___ joined #minetest |
| 18:45 |
MTDiscord |
<savilli> show me RCE exploiting an integer overflow |
| 18:45 |
MTDiscord |
<savilli> or at least show me exploitable crash |
| 18:48 |
|
v-rob joined #minetest |
| 18:49 |
sfan5 |
writing a successful, reliable remote exploit is very hard in the age of numerous hardening measures being enabled in applications, libraries and kernels by default |
| 18:50 |
sfan5 |
more likely and much easier are injection vulnerabilities |
| 18:50 |
sfan5 |
but I wouldn't say it's likely for one to exist in the engine |
| 18:50 |
luk3yx |
<rubenwardy> btw, to pass secure object into another dofile you can do: `assert(loadfile(path .. "file.lua"))(http_api)` |
| 18:51 |
luk3yx |
I advise against doing that with the insecure environment (minetest.request_insecure_environment), with the HTTP API it's probably fine thogh |
| 18:51 |
luk3yx |
*though |
| 18:51 |
sfan5 |
why/why not? |
| 18:52 |
luk3yx |
I could change loadfile from another mod |
| 18:52 |
sfan5 |
that is true and one of the shortcomings |
| 18:53 |
sfan5 |
if you have the insecure env you can use loadfile from there anyway |
| 18:53 |
luk3yx |
The HTTP API already calls minetest.add_http_fetch or something similar so is vulnerable anyway |
| 18:54 |
luk3yx |
Maybe there should be a get_modpath function in the insecure environment as well |
| 18:59 |
sfan5 |
huh that's a problem I wasn't aware of |
| 18:59 |
|
Taoki joined #minetest |
| 19:03 |
|
v-rob joined #minetest |
| 19:05 |
sfan5 |
maybe some globals really need protection from modification |
| 19:05 |
sfan5 |
don't know how feasible this is in lua however |
| 19:06 |
|
SuperMiner joined #minetest |
| 19:06 |
celeron55 |
https://www.lua.org/pil/13.4.5.html |
| 19:06 |
celeron55 |
using a metatable (obviously - it's lua after all) |
| 19:07 |
sfan5 |
can't people just setmetatable that away |
| 19:07 |
celeron55 |
hmm |
| 19:08 |
celeron55 |
a metatable for the global environment? lol |
| 19:08 |
celeron55 |
a metatable is always the solution, you just have to figure out where you put it |
| 19:10 |
celeron55 |
my bet is, some day MT will have a way to make a mod have its own environment and be callable only by basically an RPC, and then everyone will simultaneously love and hate it |
| 19:11 |
celeron55 |
it's going to be janky as hell to use, but won't have those kinds of silly leaks |
| 19:12 |
celeron55 |
people don't realize how nice they have it with the single lua environment |
| 19:14 |
MTDiscord |
<savilli> single lua environment is pretty nice indeed |
| 19:14 |
MTDiscord |
<savilli> i think we only need separate environments for "trusted" mods |
| 19:16 |
MTDiscord |
<savilli> that way, if your mod for some reasons needs to go out of sandbox, people will suffer to use it, but it's fine |
| 19:16 |
celeron55 |
that's true, it would be basically like rust's unsafe |
| 19:17 |
celeron55 |
it would also allow multithreading as another reason to use it |
| 19:17 |
celeron55 |
or maybe not |
| 19:17 |
celeron55 |
well, depends, but safety is only one reason for wanting to use a separate environment |
| 19:21 |
celeron55 |
or, implement |
| 19:26 |
|
sys4 joined #minetest |
| 19:43 |
|
Verticen joined #minetest |
| 19:44 |
|
Extex joined #minetest |
| 19:48 |
MTDiscord |
<SX> "a metatable for the global environment", well not first or second time I've told someone that MT should stop playing luacheck... I mean mod env metatable for index/newindex. |
| 19:49 |
MTDiscord |
<SX> just my opinion and just because I had one (and still have) :) |
| 19:51 |
MTDiscord |
<SX> best to only use rawget for every global var access from mods (bad joke but yeah would love to see that hack disappear) |
| 20:08 |
|
olliy1or joined #minetest |
| 20:09 |
|
olliy joined #minetest |
| 20:09 |
|
Wikiwide_ joined #minetest |
| 20:27 |
|
v-rob joined #minetest |
| 20:28 |
|
proller joined #minetest |
| 20:29 |
|
v-rob joined #minetest |
| 20:33 |
MTDiscord |
<luatic> luk3yx: You would've used [off] in vain. The Discord bridge doesn't discard messages starting with [off]. |
| 20:35 |
MTDiscord |
<Jonathon> logging still does |
| 20:35 |
MTDiscord |
<Jonathon> so not in vain |
| 20:36 |
MTDiscord |
<Jonathon> *completely |
| 20:36 |
MTDiscord |
<luatic> But celeron55: No, setting a metatable on the global table is insufficient as (1) there's always rawset & rawget and (2) a metatable can't prevent changing fields. You really need to provide load each mod in it's own environment for them to be isolated. |
| 20:37 |
MTDiscord |
<luatic> And yes, while a single Lua environment may be pretty nice, require would be even nicer. |
| 20:38 |
celeron55 |
is there a proof of concept PR of this require that you're talking about? |
| 20:38 |
MTDiscord |
<luatic> "as soon as you have turing complete stuff you can't effectively sandbox it" - wrong, IMO |
| 20:39 |
MTDiscord |
<luatic> there is no such PR yet |
| 20:47 |
rubenwardy |
sfan5: __metatable prevents changing the metatable |
| 20:53 |
|
definitelya joined #minetest |
| 21:02 |
MTDiscord |
<luatic> only if debug.setmetatable is not exposed |
| 21:15 |
|
v-rob joined #minetest |
| 21:16 |
|
proller joined #minetest |
| 21:26 |
|
v-rob joined #minetest |
| 21:29 |
|
Verticen joined #minetest |
| 21:35 |
luk3yx |
I think that MT should just expose some functions (such as get_modpath) in the insecure environment and put the responsibility of using them properly onto mods that need it |
| 21:36 |
luk3yx |
That way the majority of mods that don't need the insecure environment don't have to live with any metatable-related issues/performance hits that might arise |
| 21:38 |
luk3yx |
Though that would make it easy for mods to accidentally use the wrong function and create a security issue |
| 22:00 |
luk3yx |
Maybe loading mods that are in secure.trusted_mods first would work (at least during load time), but then that wouldn't work if they depended on any mod not in secure.trusted_mods |
| 22:01 |
sfan5 |
solution: don't load mods you don't trust |
| 22:02 |
MTDiscord |
<savilli> solution: don't load mods |
| 22:04 |
|
troller joined #minetest |
| 22:07 |
|
sparky4 joined #minetest |
| 22:18 |
|
v-rob joined #minetest |
| 22:18 |
|
sagax joined #minetest |
| 22:23 |
MTDiscord |
<exe_virus> I mean, I am all for separate lua contexts. For example, a lua-only mapgen with multithreading, so each thread has its own lua context. That would help with map generation significantly for lua based mapgens. |
| 22:24 |
MTDiscord |
<exe_virus> Or using the client-side lua for physics calculations so that we have client side boat or cart or flying or racing mechanics |
| 22:24 |
MTDiscord |
<exe_virus> etc. etc. Ideally I think we could fire off lua contexts with a single text block and then we poll for a flag or provide a callback for when it finishes |
| 22:33 |
|
troller joined #minetest |
| 22:36 |
MTDiscord |
<Warr1024> the tough part about separate lua contexts is that all calls between them need to be serialized as messages, which will have performance consequences, and many things like functions cannot be serialized, so there would be serious limitations to cross-mod dependency injection or callback APIs. |
| 22:44 |
MTDiscord |
<Benrob0329> Functions can be serialized |
| 22:44 |
MTDiscord |
<Benrob0329> Its a security risk, but its possible |
| 23:00 |
|
Sven_vB joined #minetest |
| 23:12 |
kilbith |
http://sprunge.us/6rHnnR |
| 23:12 |
kilbith |
phew. |
| 23:24 |
|
kgserrano joined #minetest |
| 23:35 |
kilbith |
MineClone2 is about half the size of the engine in terms of LOC: http://sprunge.us/mBw6Gw |
| 23:37 |
kilbith |
and Dreambuilder is 151 KLOC (Lua), that's bigger than the engine |
| 23:39 |
MTDiscord |
<Jonathon> taking a sudden interest in comparing game sizes? |
| 23:47 |
|
SuperMiner joined #minetest |
| 23:52 |
MTDiscord |
<Jonathon> anyways, seems interesting the only two servers running i3 are two separate games that use it |
| 23:52 |
erlehmann |
the only *public* servers |
| 23:53 |
erlehmann |
<savilli> show me RCE exploiting an integer overflow |
| 23:53 |
erlehmann |
lol |
| 23:53 |
erlehmann |
<sfan5> more likely and much easier are injection vulnerabilities |
| 23:53 |
erlehmann |
<sfan5> but I wouldn't say it's likely for one to exist in the engine |
| 23:54 |
erlehmann |
sfan5, the one that has been fixed was funny though, i think in-game items have no business executing arbitrary code. |
| 23:54 |
MTDiscord |
<Jonathon> well duh im talking about public servers |
| 23:55 |
|
search_social joined #minetest |
| 23:58 |
MTDiscord |
<MisterE> I use i3 on mesecraft, wich is a mod soup |
| 23:58 |
MTDiscord |
<MisterE> centeria is the server, mesecraft is the game |
| 23:59 |
MTDiscord |
<MisterE> Tho I have modded mesecraft enough that at some point I may have to change the name |
