Bukkit & Security?

Discussion in 'Bukkit Discussion' started by Sky.NET, Jan 6, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    Sky.NET

    First, imho, everyone is responsible for his own security, and if got owned by virus, backdoor or RAS, the fault is their.

    But!
    People are able to write plugins 4 bukkit.
    People are able to put very bad code into that plugins, code like downloading external programms from their places, start them... and... gotcha, your server is carried over by some script kiddie.
    People are evil (not all people, but many).

    How is the bukkit-dev-team thinking about this issue? Will they check every plugin for bad code? Will there be a team that do this? Or will they leave the users with the risk of infection?
    Will there be a middleway, like plugins that are signed 'officialy declared as secure by checking' and plugins that are not, but free to use but a little bit riskier?

    And whats with autoupdates? Will they be checked before available?
    Who can promise me, that a plugincoder who once thought 'i will never betray my users' just turn into an evil bad script kiddie that now thinks 'i need a botnet, i will use all the servers using my plugin for that'.

    Coding such a system has its responsibilities.
     
  2. Offline

    matejdro

    Sounds nice to me:

    1. When plugin or plugin update is added to plugin repository, it's marked as "unchecked" or something like that.
    2. When moderators or decent amount of people confirm that plugin is safe, plugin is marked as checked.
    • Server administrators can still download unchecked plugins, but they shall be warned
    • Plugin will not automatically update to unchecked version unless server admin overrides that.
     
  3. Offline

    Sky.NET

    Is that just your idea or has someone else from the bukkit team posted it anywehre here?
    In the last years i was very active in another communityproject arround coding things for a javabased chat called 'knuddels' (i coded gamebots, spambots and other evil forbidden things hehehe:D) i know what i am talking about, and before things will go bad and everyones shouting to the bukkit-team because they didnt do anything to prevent or reduce the risk to get infected i just want to get a clear message from them wheter they care or not.

    If not, i'll gonna stop using bukkit before i started using it.
    Dont wanna see my server as part of a botnet doing illegal things and the law holding ME accountable for that illegal action. Thats not the way i wanna pay for the fun of my players!
     
  4. Offline

    croxis

    In reality, not much. The only way to limit this is to sandbox plugins into stripped down lua or something similar. World of Warcraft and Civ V does this (which prevented me from making an in game irc client for Civ V, grumble grumble). It is a trade off between functionality and security.

    As far as the repository though there is a lot that can be done, and I am confident the team is doing a good job of it. If it was me building it I would probably model it after the linux repositories.
     
  5. Offline

    matejdro

    I made up this idea, based on several other forums and repositories i've seen.

    I don't think we should sandbox plugins. That will reduce responsibilities.
     
  6. Offline

    mindless728

    honestly we have to just trust each other and tell the community if the plugins do something irresponsible about security so everyone knows

    also if they made it mandatory to post the original source code into the jar for the plugin then people could look at it before hand easier
     
  7. Offline

    AnonymousJohn

    I think that much of the user-base is alert enough to know when something has downloaded/is using other software, and will very gladly point it out to everyone when they find that it does so (and then a forum admin would probably lock the thread and modify the plugin's forum thread to state that it does so and possibly ban the creator). Hopefully this is not an issue.
    --- merged: Jan 7, 2011 3:03 AM ---
    Crap you beat me to it. xD
     
  8. Offline

    ChadTheDJ

    It would be nice because there will be people always ruining it for the rest of us. I hate to see the plugins turn into something like an apple app closed market (if you get what I mean) and you are limited to what you can do. Lets support creative freedom (safely)
     
  9. Offline

    Obsidian

    Being able to report plugins for security issues is a must.
     
  10. Then this becomes an Issue for the Team because there Will be people that will Abuse the "Report for Security Issue(s)" Button.
     
  11. Offline

    Sky.NET

    I was not speaking about members who act honestly, i was talking about members who are evil or have evil plans.
    I will never trust anybody on the internet, doing that could lead you to very dangerous situations.

    Not really, if they check the plugins and updates before available to the public, this isnt a must.

    Eh? You think that? There are MANY people using plugins who has no idea whats possible to do with a possibility to inject code on a machine where you have FULL rights, networkconnection and no restrictions of what code to use.

    Let me give you some example to understand my point:

    • Plugincoder codes a plugin, this plugin is just awesome, everybody will use it.
    • Brings it out an waits a little time.
    • Plugincoder changes his plugincode in a way that it downloads (in case of infecting win-servers) some executable whitch is a FUD crypted RAT whitch will make him able to take full control over the servers downloaded this tool.
    • Plugincoder does nothing with that tool!
    • Plugincoder just brings out an update, marked as 'important changes made'.
    • Plugincoder waits until he has infected enought systems (depends on how much computingpower he needs) and then simply deletes the downloading and executing code from his plugin.
    • Plugincoder brings out another 'important changes made' update without the bad code in it.
    • NOW he start doing evil things with your machine!
    In the future NOBODY would be able to locate the responsible person who was taking over their servers.

    What is he able to do?
    • Hosting childporn on YOUR machine
    • Hosting cracked software on YOUR machine
    • Using the networkpower of YOUR machine for DDOS/DOS
    • Using YOUR machine for bruteforcing anything needed
    • Using YOUR machine to host and spread viruses and RATs where he wants to
    • Using YOUR machine as VPN to hide his own identity while hacking arround at the internet
    • ... and MUCH more...
    You still really think you wanna trust anybody on the internet writing software (you use) and is not a company? If you do, you should immediately stop using software written by private persons anymore, its too dangerous for you.

    Thats the reason why plugins and updates should be checked before spreaded out everywhere.
    I not wanna say everybody here is evil, that would be exaggerated, but only one person is enought to break down everything! Keep that in mind!
     
  12. Offline

    Raphfrk

    I have never used it, but apparently Java has a built in sandbox via the SecurityManager class.

    You could then restrict the plugin from access to the outside world except though the API.

    This would have to provide things like file I/O (to specific directories) and at least permit network access.

    An IRC client plugin would need to be given permission to connect to <some host> and some plugins would need to be given the rights to listen on a specific port.

    The idea would be that new features would be added to allow plugins do everything that they can currently do.

    However, the admin would have to specifically allow access to specific features. In theory, you could have the fill bukkit site show a table with what features each plugin has requested.

    I think that requiring plugins to be certified would be to much of a burden and it would massively slow down updates (both the rate and number).
     
  13. Offline

    Sky.NET

    Good idea Raph, i didnt know about the Secutriy Manager in Java (long time ago that ive used java).
    This would be a very nice solution to this problem.
    However the plugin-releases/updates would be slown it fixes a big and important securityissue in bukkit (hmod never taked care about the secutrity of his users nor will do that in its last days).
    Its better to wait a few days more for a update, than go to jail, dont?
     
  14. Offline

    Obsidian

    Yes, it is. Those that audit the plugins/updates can miss things such as obscure security holes, which a community member can happen upon themselves. Remember, everyone here is only human; as such we are all liable to make mistakes and oversights. These mistakes and oversights, however, can be quite costly if they are left to go unchecked.

    Having the ability to report plugins would greatly improve the time for a plugin with a vulnerability to be removed (pending fix) and the author notified.
     
  15. Offline

    tremor

    @Sky.NET - you are absolutely right... I run my SMP server on linux and every plugin I've added to it in hMod I've wondered what potential things this developer has coded into it. Is it send the MySQL user & pass to some hacker? Is it creating a little open relay SMTP server for blasting spam through and thats why that game is running so slow now? And since the plugin is wrapped into the minecraft_mod.jar -- you potentially have no idea what it is doing even viewing the process list. You almost have to review the code line by line to make sure there is no malicious material. For linux admins, I suggest creating a limited rights account for installation... although this wouldn't stop every possibility its a start.

    Maybe there should be an official repo for plugins, and a development repo... server admins could choose to get the latest releases from the dev repo... or wait for the official repo where the plugin has been review, tested and certified 100% whole beef by the bukkit staff.
     
  16. Offline

    RoTide

    This should be "common sense" for linux admins. _Never_ run a server using an account that has more permissions than it requires! Always, always, create a new account for game servers and run it using that new, less privileged, account.
     
    Sky.NET likes this.
  17. Offline

    lukegb Retired Staff

    In addition, SELinux can severely limit the ability of an "infected" JVM to actually do anything - all it would be able to do is, well, make HTTP/HTTPS connections (needed to download plugins) and wait for connections from people. It could also write to its space on disk, which could be restricted via quota.
     
  18. Offline

    Sky.NET

    I agree, but there is everytime a 'but', especially in case of people using windows servers. (i know how to setup a packetfilter policy, i know how to setup the extended windows server firewall, but i know many people who run a minecraftserver and dont know anything about server-security)

    Should we leave those people in unawareness of the risk thats behind using software written by unknown people?
    I think we shouldnt, that would be evil like infecting them directly.

    However this is not my decison, i just want people to keep in mind, that the internet is no place like heaven everyone is loving and caring each other, and i would love to see, that the bukkit team is thinking in my way related to this topic and do their best to prevent the situation ive shown in post 11. However 'do their best' not means that the bukkit team has to take over responsibility for every user using bukkit or every machine bukkit is running on.
    Last post here now, there is finally nothing more to say for me. You know my point, and thats it.
     
  19. Offline

    tremor

    You'd be surprised at how many people, myself included when I first started out as a hobbyist game server admin.... purchased a linux VPS for game hosting and didn't know the first lick of responsible security measures, just wanted to have my own server! Only after a few hackings did I start saying - oh crap I better learn how to tighten this s__t up.
     
Thread Status:
Not open for further replies.

Share This Page