[Opensim-dev] osNPCxxx functions vs security

Argus argus at archimuh.de
Wed Jul 4 18:12:10 UTC 2012 

Hi.

  Last week a new Patch was postet by Talun in mantis (6063) with a new 
feature not implemented yet, osNPCToch which enables NPCs to trigger the 
touch-event in scripted object. As cool as this first sounds, there are 
some security issues which should be adressed... or not

  As justin pointed out, the discussion should best be made here and not 
on mantis. I think the goal of the discussion should maybe be to end 
with a general security guidline for future and current implementation 
of NPC's in lsl /ossl? This might also include some changes to the 
existing functions if a general consensus is found.

Generaly NPC's and their functions need to be manualy enabled by the 
region owner, which limits NPC security issues to those regions were NPC 
are allowed. However, it is thinkable that griefers, neighbours or buggy 
scripts create security issues on a region which result in spam or even 
crash the region/sim/server.

  In lsl the solution is to have a forced scriptdelays in functions that 
could be used negativly, e.g. llInstantMessage with 2 seconds delay or 
limited amount of repeated use per minute.

  In the case of osNPCTouch, we have 1 NPC which can touch over 1000 
objects within 1 second. In this case NPCs can be used to block items 
from beeing touched or depending on the scripts touched  might even 
crash a region/sim/server due to many active scripts doing some work.

So should osNPCxxx functions generaly have limits were griefing/crashes 
are possible and how should the limit be? Basicaly we have 3 option:

1) we dont implement any limitation and accept that very seldomly some 
griefing can happen. Worst case scenario means restoring some region 
backups after an attack...
2) we could limit the functions to max amount of uses per minute. This 
allows the normal scripts to run fast untill the limit is reached. The 
limit is high enough for the normal uses, but causes a silent failure 
after the limit is reached.
3) we could add a delay to functions. The script is always "slow" even 
if not beeing used for griefing.

I personaly would prefer 2, limation per minute. This enables one to 
give certain NPC rights to trusted parcelowners without the fear of some 
dispute between parcel neighbours ending in a total server crash.

regard
Michelle

More information about the Opensim-dev mailing list