Threat level

To permit region owners to enable the extended scripting functionality of OSSL, without allowing malicious scripts to access potentially troublesome functions, each OSSL function is assigned a threat level, and access to the functions is granted or denied based on a default threshold set in OpenSim.ini (which can be overridden for individual functions on a case-by-case basis). Review OSSL Enabling Functions page with a full example for Implementing the various osFunctions for your system.

The threat levels, from wholly unthreatening to most potentially damaging, are:


 * None
 * Function is no threat at all. It doesn't constitute a threat to either users or the system and has no known side effects.
 * Functions with the threat level "None":
 * See Category:OSSL_Functions/ThreatLevel:None


 * Nuisance
 * Abuse of this command can cause a nuisance to the region operator, such as log message spew.
 * Functions with the threat level "Nuisance":
 * See Category:OSSL_Functions/ThreatLevel:Nuisance


 * VeryLow
 * Extreme levels of abuse of this function can cause impaired functioning of the region, or very gullible users can be tricked into experiencing harmless effects.
 * Functions with the threat level "VeryLow":
 * See Category:OSSL_Functions/ThreatLevel:VeryLow


 * Low
 * Intentional abuse can cause crashes or malfunction under certain circumstances, which can be easily rectified; or certain users can be tricked into certain situations in an avoidable manner.
 * Functions with the threat level "Low":
 * See Category:OSSL_Functions/ThreatLevel:Low


 * Moderate
 * Intentional abuse can cause denial of service and crashes with potential of data or state loss; or trusting users can be tricked into embarrassing or uncomfortable situations.
 * Functions with the threat level "Moderate":
 * See Category:OSSL_Functions/ThreatLevel:Moderate


 * High
 * Casual abuse can cause impaired functionality or temporary denial of service conditions. Intentional abuse can easily cause crashes with potential data loss, or can be used to trick experienced and cautious users into unwanted situations, or changes global data permanently and without undo ability.
 * Functions with the threat level "High":
 * See Category:OSSL_Functions/ThreatLevel:High


 * VeryHigh
 * Even normal use may, depending on the number of instances, or frequency of use, result in severe service impairment or crash with loss of data, or can be used to cause unwanted or harmful effects on users without giving the user a means to avoid it.
 * Functions with the threat level "VeryHigh":
 * See Category:OSSL_Functions/ThreatLevel:VeryHigh


 * Severe
 * Even casual use is a danger to region stability, or function allows console or OS command execution, or function allows taking money without consent, or allows deletion or modification of user data, or allows the compromise of sensitive data by design.
 * Functions with the threat level "Severe":
 * See Category:OSSL_Functions/ThreatLevel:Severe

The OSFunctionThreatLevel setting in the script engines' configuration sections of OpenSim.ini controls what classes of functions are accessible to scripts owned by any avatar; any function at the same threat level or lower than the value provided for OsFunctionThreatLevel is permitted to run. If OSFunctionThreatLevel is absent from the configuration file, the default value is VeryLow.

We do not recommend that you set a general level above Low unless you have a very high level of trust in all the visitors to the simulator that have the ability to run scripts.

It is safer to explicitly allow certain types of user to run higher threat level OSSL functions on an individual basis. This can be done by adding Allow_* lines to the script engine's configuration section. To permit scripts owned by anyone to access a function, even if its threat level exceeds the value of OSFunctionThreatLevel, use the value 'true':

You can also prohibit individual OSSL functions, even if its threat level is equal to or below the value of OSFunctionThreatLevel:

To allow scripts owned by only certain avatars to access a function, use the UUIDs of the avatars owning the scripts. If multiple avatars are to be permitted access, separate the UUIDs with commas:

You can also allow categories of users to call given OSSL functions. Currently, the categories are


 * PARCEL_GROUP_MEMBER: allow if object group is the same group as the parcel
 * PARCEL_OWNER: allow if the object owner is parcel owner
 * ESTATE_MANAGER: allow if the object owner is an estate manager
 * ESTATE_OWNER: allow if object owner is estate owner

For example

Note that wiki may not have the threat levels for some functions or have wrong threat levels. You can check actual threat levels by looking into OpenSim.Region.ScriptEngine.Shared.Api.OSSL_Api class in the source distribution or git master(see CheckThreatLevel calling).

Ascertaining privilege to use a function
There is not currently a function which would allow a script to determine whether or not it has permission to use any specific OSSL function. Such a function was proposed, but rejected by a developer on the grounds that it could permit a griefer script too much knowledge of its environment (though, as shown below, this information is already available through other methods, albeit less efficient ones).

Leaving the question of griefer scripts aside, such knowledge is also useful to legitimate scripts (for instance, an animation vendor with a "Try me!" button, which might use osAvatarPlayAnimation to demonstrate the animation without requiring the user to explicitly grant permission, but fall back to llStartAnimation in the event that osAvatarPlayAnimation is unavailable).

If a script attempts to use an OSSL function that it does not have permission to use, only the current invocation of the event handler which called the function crashes; the script remains running, and the event handler will be executed again the next time the event fires. A script may take advantage of this fact to ascertain which functions are available to it, by using an information-gathering state with a timer to iterate quickly through the OSSL functions it needs; when a function call succeeds, it can then set a variable indicating that the function is available. Once it has iterated through all the functions, it then switches out of the information-gathering state.