[Opensim-dev] osNPCxxx functions vs security

Justin Clark-Casey jjustincc at googlemail.com
Wed Jul 4 23:32:01 UTC 2012


I prefer option 3, since it would be identical to LSL functions and hence in line with user expectations.   Like the LSL 
delays, these would still be configurable.

Option 3 is also simpler than option 2, which starts to involve complicated record-keeping.  It also doesn't prejudice 
adding this in the future if it proves really necessary.

Without these limits, a large number of allowed OSSL functions could be problematic, osNpcCreate for instance.  I think 
the most likely scenario is badly written scripts.

On 04/07/12 19:12, Argus wrote:
> Hi.
>
>   Last week a new Patch was postet by Talun in mantis (6063) with a new feature not implemented yet, osNPCToch which
> enables NPCs to trigger the touch-event in scripted object. As cool as this first sounds, there are some security issues
> which should be adressed... or not
>
>   As justin pointed out, the discussion should best be made here and not on mantis. I think the goal of the discussion
> should maybe be to end with a general security guidline for future and current implementation of NPC's in lsl /ossl?
> This might also include some changes to the existing functions if a general consensus is found.
>
> Generaly NPC's and their functions need to be manualy enabled by the region owner, which limits NPC security issues to
> those regions were NPC are allowed. However, it is thinkable that griefers, neighbours or buggy scripts create security
> issues on a region which result in spam or even crash the region/sim/server.
>
>   In lsl the solution is to have a forced scriptdelays in functions that could be used negativly, e.g. llInstantMessage
> with 2 seconds delay or limited amount of repeated use per minute.
>
>   In the case of osNPCTouch, we have 1 NPC which can touch over 1000 objects within 1 second. In this case NPCs can be
> used to block items from beeing touched or depending on the scripts touched  might even crash a region/sim/server due to
> many active scripts doing some work.
>
> So should osNPCxxx functions generaly have limits were griefing/crashes are possible and how should the limit be?
> Basicaly we have 3 option:
>
> 1) we dont implement any limitation and accept that very seldomly some griefing can happen. Worst case scenario means
> restoring some region backups after an attack...
> 2) we could limit the functions to max amount of uses per minute. This allows the normal scripts to run fast untill the
> limit is reached. The limit is high enough for the normal uses, but causes a silent failure after the limit is reached.
> 3) we could add a delay to functions. The script is always "slow" even if not beeing used for griefing.
>
> I personaly would prefer 2, limation per minute. This enables one to give certain NPC rights to trusted parcelowners
> without the fear of some dispute between parcel neighbours ending in a total server crash.
>
> regard
> Michelle
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>


-- 
Justin Clark-Casey (justincc)
http://justincc.org/blog
http://twitter.com/justincc





More information about the Opensim-dev mailing list