[MUD-Dev] (fwd) Functional Security

Miroslav Silovic silovic at zesoi.fer.hr
Fri Mar 20 11:37:19 CET 1998 

Matt Chatterley <matt at mpc.dyn.ml.org> writes:

> It does exist in MudOS, but yes, is often downplayed, it seems. I haven't
> gone to any great lengths to change this (the only functions that I have
> really secured are those that interface with the FS and other 'sensitive'
> parts of the game backbone.
> 
> One problem with introducing heavy function-security is that unless you
> design it in what appears (to me) a quite cumbersome way, you will cause
> problems when you wish unprivaleged objects to interact with each other in
> theoretically sensitive ways.

Actually Cold seems to have solved this problem: It has the following
mechanisms:

	1) bind() - binds primitive function to an object. After that,
	   only the methods on the object can invoke the function

	2) native methods - C function can be interfaced with Cold
	   in such a way that it appears to be ordinary method for all
	   practical purposes (except that you can't list its source)

	3) private/public/protected method flags - these do the same
	   thing as in C++ - they limit the objects that can call
	   methods

	4) no_override flag - flag a method with this and it can't
	   be overriden on the descendants of the object

This is enough for a simple /and/ powerful security mechanisms
implemented in the core. Most methods that need protection simply do
(> .perms(caller(), <permission type>) <); which calls no_override
root method that performs the actual perm check and throws an error if
necessary ((> <) is error propagation operator). So, layers are like
this:

	bottom: sensitive functions are bound to relevant objects
	  (dumping, shutdown etc. to $sys, networking to the generic
	  connection, and so on).

	perm checks: methods on the root object that can be invoked
	   with a nice syntax from wherever they are needed

	ring permission attributes: Cold maintains
           manager/writer/readed/trusted lists for each object.
	   $root.perm method is a clean interface to this.

Source for $root.perms is at
http://ice.cold.org/bin/method?target=$root.perms

	Miro

--
I refuse to use .sig

More information about the mud-dev-archive mailing list