[Opensim-dev] osNPCxxx functions vs security

Argus argus at archimuh.de
Thu Jul 5 14:31:02 UTC 2012


Yes, option 3 is easier to implement.

  About the bad scripts, also testscript can be a danger were one forgot 
to create an exit in a loop. When I tested the avarage osNPCTouches I 
used a loop with a 10 second exit. The first touch script had a simple 
llOwnerSay() in the touch event to see what delay the function was 
creating. My viewer was entily blocked for about 14 secs because the 
viewer was buzy handling all those llOwnerSay() from the touch event.

@justin, could give a short comment on my last mantis post about the NPC 
llDetetedType() implementation.

Am 05.07.2012 01:32, schrieb Justin Clark-Casey:
> I prefer option 3, since it would be identical to LSL functions and 
> hence in line with user expectations.   Like the LSL delays, these 
> would still be configurable.
>
> Option 3 is also simpler than option 2, which starts to involve 
> complicated record-keeping.  It also doesn't prejudice adding this in 
> the future if it proves really necessary.
>
> Without these limits, a large number of allowed OSSL functions could 
> be problematic, osNpcCreate for instance.  I think the most likely 
> scenario is badly written scripts.
>
> On 04/07/12 19:12, Argus wrote:
>> Hi.
>>
>>   Last week a new Patch was postet by Talun in mantis (6063) with a 
>> new feature not implemented yet, osNPCToch which
>> enables NPCs to trigger the touch-event in scripted object. As cool 
>> as this first sounds, there are some security issues
>> which should be adressed... or not
>>
>>   As justin pointed out, the discussion should best be made here and 
>> not on mantis. I think the goal of the discussion
>> should maybe be to end with a general security guidline for future 
>> and current implementation of NPC's in lsl /ossl?
>> This might also include some changes to the existing functions if a 
>> general consensus is found.
>>
>> Generaly NPC's and their functions need to be manualy enabled by the 
>> region owner, which limits NPC security issues to
>> those regions were NPC are allowed. However, it is thinkable that 
>> griefers, neighbours or buggy scripts create security
>> issues on a region which result in spam or even crash the 
>> region/sim/server.
>>
>>   In lsl the solution is to have a forced scriptdelays in functions 
>> that could be used negativly, e.g. llInstantMessage
>> with 2 seconds delay or limited amount of repeated use per minute.
>>
>>   In the case of osNPCTouch, we have 1 NPC which can touch over 1000 
>> objects within 1 second. In this case NPCs can be
>> used to block items from beeing touched or depending on the scripts 
>> touched  might even crash a region/sim/server due to
>> many active scripts doing some work.
>>
>> So should osNPCxxx functions generaly have limits were 
>> griefing/crashes are possible and how should the limit be?
>> Basicaly we have 3 option:
>>
>> 1) we dont implement any limitation and accept that very seldomly 
>> some griefing can happen. Worst case scenario means
>> restoring some region backups after an attack...
>> 2) we could limit the functions to max amount of uses per minute. 
>> This allows the normal scripts to run fast untill the
>> limit is reached. The limit is high enough for the normal uses, but 
>> causes a silent failure after the limit is reached.
>> 3) we could add a delay to functions. The script is always "slow" 
>> even if not beeing used for griefing.
>>
>> I personaly would prefer 2, limation per minute. This enables one to 
>> give certain NPC rights to trusted parcelowners
>> without the fear of some dispute between parcel neighbours ending in 
>> a total server crash.
>>
>> regard
>> Michelle
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>
>





More information about the Opensim-dev mailing list