Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008405opensim[GRID] Grid Servicepublic2018-11-09 04:452018-11-09 11:17
ReporterData Rossini 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformOSLinuxOS VersionSuse 42.3
Product Version0.9.0.1 
Target VersionFixed in Version 
Summary0008405: Client version access control does not work
DescriptionClient version access control configured in the "Robust.HG.ini" section "[AccessControl]" does not work.
It looks like that the string "clientVersion" is truncated at a space in the viewer version string.
You can see it in Robust.log at ... using viewer.
Steps To ReproduceFirestorm Version: "Firestorm 5.1.7 (55786)"

Case 1: You can not log in
==========================
-> Get in Firestorm: "Logins are currently restricted. Please try again later."

Robust.HG.ini Section [AccessControl]:
...
[AccessControl]
    ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
    ;; Bar (|) separated list of viewers which may gain access to the regions.
    ;; One can use a substring of the viewer name to enable only certain
    ;; versions
    ;; Example: Agent uses the viewer "Imprudence 1.3.2.0"
    ;; - "Imprudence" has access
    ;; - "Imprudence 1.3" has access
    ;; - "Imprudence 1.3.1" has no access
    ; AllowedClients = ""
    AllowedClients = "Firestorm"
    ;AllowedClients = "5.1.7.55786"

    ;# {DeniedClients} {} {Bar (|) separated list of denied clients} {}
    ;; Bar (|) separated list of viewers which may not gain access to the regions.
    ;; One can use a Substring of the viewer name to disable only certain
    ;; versions
    ;; Example: Agent uses the viewer "Imprudence 1.3.2.0"
    ;; - "Imprudence" has no access
    ;; - "Imprudence 1.3" has no access
    ;; - "Imprudence 1.3.1" has access
    ; DeniedClients = ""
    ;DeniedClients = "Imprudence|CopyBot|Twisted|Crawler|Cryolife|FuckLife|StreetLife|GreenLife|AntiLife|KORE-Phaze|Synlyfe|PurpleSecond Life|Emerald|Darkstorm|BuilderBot|Phoenix-Firestorm-Professional"
...

Robust.log (XXX for IP and Mac):
...
2018-11-09 12:53:10,190 INFO (Threadpool worker) - OpenSim.Services.LLLoginService.LLLoginService [LLOGIN SERVICE]: Login request for Owner RoMetaverse at home using viewer 5.1.7.55786, channel Firestorm-Releasex64, IP XX.XXX.XX.XXX, Mac XXXXXXXX, Id0 2be72c62d2bed82f20db3532d25eb274, Possible LibOMVGridProxy: False
2018-11-09 12:53:10,191 INFO (Threadpool worker) - OpenSim.Services.LLLoginService.LLLoginService [LLOGIN SERVICE]: Login failed for Owner RoMetaverse, reason: client 5.1.7.55786 is not allowed

Case 2: You can log in
======================

Robust.HG.ini Section [AccessControl]:
...
[AccessControl]
    ;# {AllowedClients} {} {Bar (|) separated list of allowed clients} {}
    ;; Bar (|) separated list of viewers which may gain access to the regions.
    ;; One can use a substring of the viewer name to enable only certain
    ;; versions
    ;; Example: Agent uses the viewer "Imprudence 1.3.2.0"
    ;; - "Imprudence" has access
    ;; - "Imprudence 1.3" has access
    ;; - "Imprudence 1.3.1" has no access
    ; AllowedClients = ""
    ;AllowedClients = "Firestorm"
    AllowedClients = "5.1.7.55786"

    ;# {DeniedClients} {} {Bar (|) separated list of denied clients} {}
    ;; Bar (|) separated list of viewers which may not gain access to the regions.
    ;; One can use a Substring of the viewer name to disable only certain
    ;; versions
    ;; Example: Agent uses the viewer "Imprudence 1.3.2.0"
    ;; - "Imprudence" has no access
    ;; - "Imprudence 1.3" has no access
    ;; - "Imprudence 1.3.1" has access
    ; DeniedClients = ""
    ;DeniedClients = "Imprudence|CopyBot|Twisted|Crawler|Cryolife|FuckLife|StreetLife|GreenLife|AntiLife|KORE-Phaze|Synlyfe|PurpleSecond Life|Emerald|Darkstorm|BuilderBot|Phoenix-Firestorm-Professional"
...

Robust.log (XXX for IP and Mac):
2018-11-09 13:11:38,486 INFO (Threadpool worker) - OpenSim.Services.LLLoginService.LLLoginService [LLOGIN SERVICE]: Login request for Owner RoMetaverse at home using viewer 5.1.7.55786, channel Firestorm-Releasex64, IP XX.XXX.XX.XXX, Mac XXXXXXXX, Id0 2be72c62d2bed82f20db3532d25eb274, Possible LibOMVGridProxy: False
...
2018-11-09 13:11:38,578 INFO (Threadpool worker) - OpenSim.Services.HypergridService.GatekeeperService [GATEKEEPER SERVICE]: Login request for Owner RoMetaverse @ http://XXXXXX.ultrasrv.de:8002/ [^] (406c5f02-1f96-4c74-adec-d6a7c80f87b1) at 8cebdc4e-bc0b-11e8-a355-529269fb1459 using viewer Firestorm-Releasex64 5.1.7.55786, channel Firestorm-Releasex64, IP XX.XXX.XX.XXX, Mac XXXXXXXX, Id0 2be72c62d2bed82f20db3532d25eb274, Teleport Flags: ViaHome, ViaLogin. From region Unknown


Additional InformationOpenSim Version: 0.9.0.1 g6b2da57 2018-06-29
Mono Version 4.6.1
TagsNo tags attached.
Git Revision or version number
Run Mode Grid (Multiple Regions per Sim)
Physics EngineBulletSim
EnvironmentMono / Linux64
Mono VersionOther
ViewerFirestorm 5.1.7 (55786)
Attached Files

- Relationships

-  Notes
(0033455)
tampa (reporter)
2018-11-09 05:10

iirc that's because you are entering the wrong strings for it to check against, you can read that in the log, the reported name is "Firestorm-Releasex64" which will not match with just "Firestorm".

Beyond that however, the system is completely useless anyways as that is a reported check, so anyone can just send a name of what they claim to be using and the system has no way of actually knowing whether that is true or not. You can self-compile a viewer and make it named Firestorm even if it is actually Singularity. It's rather ineffective in forcing certain client versions in case you were hoping this would prevent any sort of nasty behavior from users.
(0033456)
danbanner (manager)
2018-11-09 05:38

"Imprudence" would still work as expected since the client (viewer) is reported with name and version. Older viewers displayed client/channel differently than current viewers present this information now (this was changed several years ago.. thank LL)

viewer | channel
Imprudence 1.3.2.0 | Imprudence
5.1.7.55786 | Firestorm-Releasex64
1.8.7.6994 | Singularity Alpha 64
(0033457)
UbitUmarov (administrator)
2018-11-09 07:31
edited on: 2018-11-09 07:35

made a change on master.
our code on access control was still for old format, where version also included the viewer name, now it only includes the version.
ie was
Firestorm-Releasex64 5.1.7.55786
now is just
5.1.7.55786

With the code change, the string used on the match should now be "Firestorm-Releasex64 5.1.7.55786" in both cases.

note that you may need to change your settings to match this changes.
the match is done using .net Regex as before (https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions?view=netframework-4 [^])

(0033458)
Data Rossini (reporter)
2018-11-09 11:17
edited on: 2018-11-10 10:58

@ALL TOGETHER.
OK. Thank you very much for information.

I would like to add that the client version check also takes place when teleporting to another grid.
Here is the relevant source code:

GatekeeperService.cs:
            //
            // Check client
            //
            if (m_AllowedClients != string.Empty)
            {
                Regex arx = new Regex(m_AllowedClients);
                Match am = arx.Match(curViewer);

                if (!am.Success)
                {
                    reason = "Login failed: client " + curViewer + " is not allowed";
                    m_log.InfoFormat("[GATEKEEPER SERVICE]: Login failed, reason: client {0} is not allowed", curViewer);
                    return false;
                }
            }

            if (m_DeniedClients != string.Empty)
            {
                Regex drx = new Regex(m_DeniedClients);
                Match dm = drx.Match(curViewer);

                if (dm.Success)
                {
                    reason = "Login failed: client " + curViewer + " is denied";
                    m_log.InfoFormat("[GATEKEEPER SERVICE]: Login failed, reason: client {0} is denied", curViewer);
                    return false;
                }
            }


Util.cs --> GetViewerName(AgentCircuitData agent)

        /// <summary>
        /// Returns the name of the user's viewer.
        /// </summary>
        /// <remarks>
        /// This method handles two ways that viewers specify their name:
        /// 1. Viewer = "Firestorm-Release 4.4.2.34167", Channel = "(don't care)" -> "Firestorm-Release 4.4.2.34167"
        /// 2. Viewer = "4.5.1.38838", Channel = "Firestorm-Beta" -> "Firestorm-Beta 4.5.1.38838"
        /// </remarks>
        public static string GetViewerName(AgentCircuitData agent)
        {
            string name = agent.Viewer;
            if (name == null)
                name = "";
            else
                name = name.Trim();

            // Check if 'Viewer' is just a version number. If it's *not*, then we
            // assume that it contains the real viewer name, and we return it.
            foreach (char c in name)
            {
                if (Char.IsLetter(c))
                    return name;
            }

            // The 'Viewer' string contains just a version number. If there's anything in
            // 'Channel' then assume that it's the viewer name.
            if ((agent.Channel != null) && (agent.Channel.Length > 0))
                name = agent.Channel.Trim() + " " + name;

            return name;
        }

And that's the answer string for the LoginHandler from Viewer (mac and passwd were replaced by XXX...):

agree_to_tos:0
platform:lnx
last:RoMetaverse
address_size:64
host_id:
extended_errors:1
platform_string:Linux 4.15
version:5.1.7.55786
last_exec_duration:166
mac:XXXXXXXXXXXXXXXXXXXXXX
last_exec_event:0
passwd:$XXXXXXXXXXXXXXXXXXX
channel:Firestorm-Releasex64
id0:bef500f4a93a2e991e9c163f60c23315
first:Owner
read_critical:0
options:System.Collections.ArrayList
  inventory-root
  inventory-skeleton
  inventory-lib-root
  inventory-lib-owner
  inventory-skel-lib
  initial-outfit
  gestures
  display_names
  event_categories
  event_notifications
  classified_categories
  adult_compliant
  buddy-list
  newuser-config
  ui-config
  advanced-mode
  max-agent-groups
  map-server-url
  voice-config
  tutorial_setting
  login-flags
  global-textures
  currency
  max_groups
  search
  destination_guide_url
  avatar_picker_url
start:home
platform_version:2.23.0

Thanks


- Issue History
Date Modified Username Field Change
2018-11-09 04:45 Data Rossini New Issue
2018-11-09 04:50 Data Rossini Steps to Reproduce Updated View Revisions
2018-11-09 04:51 Data Rossini Description Updated View Revisions
2018-11-09 04:53 Data Rossini Description Updated View Revisions
2018-11-09 04:53 Data Rossini Description Updated View Revisions
2018-11-09 04:58 Data Rossini Description Updated View Revisions
2018-11-09 04:59 Data Rossini Description Updated View Revisions
2018-11-09 05:10 tampa Note Added: 0033455
2018-11-09 05:38 danbanner Note Added: 0033456
2018-11-09 07:31 UbitUmarov Note Added: 0033457
2018-11-09 07:35 UbitUmarov Note Edited: 0033457 View Revisions
2018-11-09 11:17 Data Rossini Note Added: 0033458
2018-11-09 11:47 Data Rossini Note Edited: 0033458 View Revisions
2018-11-09 12:36 Data Rossini Note Edited: 0033458 View Revisions
2018-11-10 10:58 Data Rossini Note Edited: 0033458 View Revisions


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker