[316] in Coldmud discussion meeting

root meeting help first first in chain previous in chain previous next next in chain last in chain last

Re: logging, fact and fiction

daemon@ATHENA.MIT.EDU (Tue May 24 13:46:32 1994 )

Date: Tue, 24 May 1994 10:30:51 -0700
From: rayn@q.crossaccess.com (Ray Nawara jr.)
Cc: coldstuff@MIT.EDU
In-Reply-To: <9405240220.AA00947@binkley.MIT.EDU> (message from Greg Hudson on Mon, 23 May 94 22:20:04 EDT)

> Let me make one thing absolutely clear:

> The Coldmud server has absolutely no idea what an admin is.  The
> server has, in fact, absolutely no idea how your database happens to
> represent people, or how it implements security.  Brandon explained
> that certain built-in functions were limited to $sys (in particular,
> anything that causes an affect on the world outside the database),
> but that's the only security implemented in the server.

Thanks for the clarification :) It IS important to know what is a
server function, and what is a DB function, and I'll readily admit I'm
unclear on this still. Note though that my main objection is to making
log a DB function, but that is because I see log as a
hacking-detection tool, as opposed to something else, and log itself
being in-db is not a security hole or something.

I guess theoretically then, I can just make $sys not allow access to
the log function for anyone, right?

> If all calls to $sys.eval, $sys.compile, and all methods on $sys
> which modify ,admins are logged, then Ray/Ashs senario is
> invalid. The time of modifying $sys.log and/or $sys,admins will be
> in the log.

Mmm, yoeh if mods to log were logged (besides perhaps being
recursive?) then you'd be able to see the hole.  

> Your scenarios all have human error on the part of the admins in
> them, too.  I don't think you can justify time in log() based on
> that. I claim that the current version of the server can be made
> equally or more secure than MOO, which has been hacked once in
> Lambda's history (by Quinn). It has been lagged miserably by an
> unknown programmer, but that's a different kind of issue.

Note that I stopped justifying time in log(), I've always stated that
this is just a preference. My concern here was the ability to turn off
logging on-line, or modify the output of log in-db. Pointing at human
error is not in my opinion an excuse for securtity problems. Human
error should be assumed, and measures taken to minimized the damage it
can do. Having a secure system log is one method of doing this. But it
seems apparent that all this requires is the proper restrictions on
$sys. (There is a reason, in fact numerous ones, why I like ColdMUD,
after all :) Sorry if im getting kinda annoying about this.