[Opensim-dev] Changing the permissions of osAvatarName2Key

Chris Weymann chris.weymann at chris-weymann.de
Mon Aug 3 18:12:46 UTC 2015 

Hello all,  

Thats right. With bad script it is posible to make a dos to a robust server.
But this is posible with LSL funktion too. I think the functionality shold not be restricted becouse of possibly bad scripts.
The permission system is the wrong way to protect the region or robust stability. For this needs the script engine a trigger limit for some funktions.
My meaning is that this funktions and that everyone can use it are importand for some typs of scripts. 
I have make this patch because i want make a vendor system who works over HG. For this is it importand what everyone can use this funktions.

@Oren
Then it must be you can change it back to "Low". It is ok for me.

Best regards 
Chris

-----Ursprüngliche Nachricht-----
Von: opensim-dev-bounces at opensimulator.org [mailto:opensim-dev-bounces at opensimulator.org] Im Auftrag von Melanie
Gesendet: Montag, 3. August 2015 17:06
An: opensim-dev at opensimulator.org
Betreff: Re: [Opensim-dev] Changing the permissions of osAvatarName2Key

Wrong. This function (and others classified thus) have a very real potential for DOS attacks. Calling them with a random argument will cause a request to the ROBUST services which could be inundated with 10s of thousands of requests by abusers with build/script rights.
There is no limit or throttle on them.

- Melanie


On 03/08/2015 15:50, Oren Hurvitz wrote:
> But what do you think the threat level *should* be? I think this is a 
> safe function that should be callable by everyone, since names and 
> avatar UUID's are public knowledge.
> 
> On Mon, Aug 3, 2015 at 4:46 PM, Mister Blue 
> <misterblue at misterblue.com>
> wrote:
> 
>> Changing the ThreatLevel as opposed to changing the entry in 
>> 'osslEnable.ini' would cause existing installation that are using 
>> ThreatLevels as os function control to allow these functions. The 
>> ThreatLevel change would change regions that enable os functions but 
>> only the VeryLow functions. Are there many regions that do this?
>>
>> As an alternative, leave it ThreatLevel 'low' but change the entry in 
>> osslEnable.ini  to 'true'. This would enable the function for all 
>> while keeping the previous threat note. Region owners who are using 
>> the ThreatLevel for control will probably think this is set at the 
>> level they need. Those who are not using ThreatLevel (and are 
>> probably just using the osslEnable.ini settings) wouldn't mind 
>> changing these functions to be enabled.
>>
>> Also, if changing ThreatLevel is a Good Thing, consider changing 
>> osGetGridName and osGetGridNick to VeryLow as these functions are 
>> needed by scripts while HGing. These are already 'true' in osslEnable.ini.
>>
>> == mb
>>
>> On Mon, Aug 3, 2015 at 5:44 AM, Oren Hurvitz <orenh at kitely.com> wrote:
>>
>>> Currently, osAvatarName2Key has ThreatLevel "Low" and is further 
>>> restricted to the estate manager or owner.
>>>
>>> A pending patch will change the permission to VeryLow, and allow the 
>>> function to be called by anyone.
>>>
>>> I think that's fine: this doesn't seem like a sensitive function. Is 
>>> there any reason not to allow this?
>>>
>>> And while we're at it, osKey2Name is similarly restricted, and I 
>>> think it should similarly be allowed to be called by anyone.
>>>
>>> --
>>> Oren Hurvitz
>>> VP R&D
>>> Kitely Ltd.
>>>
>>> Email: orenh at kitely.com <ilan at kitely.com>
>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at opensimulator.org
>>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>>>
>>>
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at opensimulator.org
>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>>
>>
> 
> 
> 
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
Opensim-dev at opensimulator.org
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev

More information about the Opensim-dev mailing list