• Print

Author Topic: Questionable security rights at 'user' level  (Read 45 times)

0 Members and 1 Guest are viewing this topic.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Questionable security rights at 'user' level
« on: September 28, 2009, 03:28:14 pm »
While helping another user here with his ULX not allowing console commands, I looked through my own groups.txt.
I've not edited groups.txt in months(years?) and the codebase change has made 2 backups for me.

However, looking at my current groups.txt "user" group access, it has several functions I'm not sure I'd want a user doing.
Now, I've not tried rebuilding from clean/scratch my groups.txt file yet, but, wanted to throw this out there.

Code: [Select]
"user"
{
"allow"
{
"_pw"
"ulx"
"ulx addadvert"
"ulx addcsayadvert"
"ulx addforceddownload"
"ulx addgimpsay"
"ulx asay"
"ulx debuginfo"
"ulx help"
"ulx helpme"
"ulx logchat"
"ulx logdir"
"ulx logecho"
"ulx logevents"
"ulx logfile"
"ulx logspawns"
"ulx logspawnsecho"
"ulx menu"
"ulx motd"
"ulx psay"
"ulx thetime"
"ulx usermanagementhelp"
"ulx votebanminvotes"
"ulx votebansuccessratio"
"ulx voteecho"
"ulx votekickminvotes"
"ulx votekicksuccessratio"
"ulx votemap"
"ulx votemap2minvotes"
"ulx votemap2successratio"
"ulx votemapaddmap"
"ulx votemapenabled"
"ulx votemapmapmode"
"ulx votemapmintime"
"ulx votemapminvotes"
"ulx votemapsuccessratio"
"ulx votemapvetotime"
"ulx votemapwaittime"
"ulx who"
"ulx_cvar"
"ulx_getbans"
"ulx_getgamemodes"
"ulx_valueupdate"
}
}

Am I incorrect in presuming a 'user' on my server could set "ulx logevents" to 0/off?
(or any other of those commands I wouldn't want a user to do, addforceddownloads, adverts, any number of evil things)
« Last Edit: September 28, 2009, 03:29:49 pm by JamminR »
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Questionable security rights at 'user' level
« Reply #1 on: September 28, 2009, 05:05:26 pm »
Here's the current one:

Code: [Select]
"user"
{
"allow"
{
"ulx asay"
"ulx clientmenu"
"ulx help"
"ulx logchat"
"ulx logdir"
"ulx logecho"
"ulx logevents"
"ulx logfile"
"ulx logspawns"
"ulx logspawnsecho"
"ulx menu"
"ulx motd"
"ulx psay"
"ulx thetime"
"ulx usermanagementhelp"
"ulx votebanminvotes"
"ulx votebansuccessratio"
"ulx voteecho"
"ulx votekickminvotes"
"ulx votekicksuccessratio"
"ulx votemap"
"ulx votemap2minvotes"
"ulx votemap2successratio"
"ulx votemapenabled"
"ulx votemapmapmode"
"ulx votemapmintime"
"ulx votemapminvotes"
"ulx votemapsuccessratio"
"ulx votemapvetotime"
"ulx votemapwaittime"
"ulx who"
}
}

Yes, they have access to cvars. I'll be changing cvars soon though. (yes, again. I like our new command system, the current way was hackish). :)
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Questionable security rights at 'user' level
« Reply #2 on: September 28, 2009, 05:25:23 pm »
"How' soon Megiddo?
I'd hate for somethings to happen to tarnish the Ulysses name.
Sure, its SVN, but, I still consider that a large security exploit possibility not fully covered by "SVN = beta = use at your own risk"
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Questionable security rights at 'user' level
« Reply #3 on: September 28, 2009, 06:07:58 pm »
Got of lot of stuff coming up, so probably within the next two weeks. Feel free to bug me about it. :P
Experiencing God's grace one day at a time.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Questionable security rights at 'user' level
« Reply #4 on: June 28, 2010, 08:38:49 am »
*BUMP* Hate to do this, but.. This kinda is still a problem, as I pointed out to Megiddo yesterday ???

Mostly bumping to remind Megiddo :P

(Also, JamminR, the funnest thing to do with the cvars is set all of the votemap parameters to 0 (except ulx_votemapEnabled, of course)-- And now users have access to instant changemap!)
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline jay209015

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 934
  • Karma: 62
    • Dev-Solutions
Re: Questionable security rights at 'user' level
« Reply #5 on: June 28, 2010, 11:19:02 am »
*BUMP* Just to make sure Megiddo doesn't forget. Oh and it was irresistible not to bump, haven't done it in soo long.
An error only becomes a mistake when you refuse to correct it. --JFK

"And thus the downfall of the great ULX dynasty was wrought not by another dynasty, but the slow and steady deterioration of the leaders themselves, followed by the deprecation of the great knowledge they possessed." -Gmod, Chapter 28, verse 34 -- Stickly

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2727
  • Karma: 430
    • |G4P| Gman4President
Re: Questionable security rights at 'user' level
« Reply #6 on: July 01, 2010, 01:50:09 pm »
*BUMP*

...

What? Everyone else was doing it!!!

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Questionable security rights at 'user' level
« Reply #7 on: July 01, 2010, 02:01:10 pm »
*BUMP*

...

What? Everyone else was doing it!!!


Absolutely!
*BUMP*
Everyone do the Bump!
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Questionable security rights at 'user' level
« Reply #8 on: July 01, 2010, 02:02:33 pm »
I made a patch today while I was waiting for a file to extract at work, it'll be up when I get home.
Experiencing God's grace one day at a time.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Questionable security rights at 'user' level
« Reply #9 on: July 01, 2010, 02:04:25 pm »
Ok!  ;D

Everybody was *bump*-foo fighting!! na-na-na-na naaa na na naaa!
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Questionable security rights at 'user' level
« Reply #10 on: July 01, 2010, 02:09:07 pm »
EU, Doing the bump, sexy sexy.
Oh. Wait. Wrong B word.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Questionable security rights at 'user' level
« Reply #11 on: July 01, 2010, 04:11:34 pm »
Bump, here's the new defaults:

Code: [Select]
"user"
{
"allow"
{
"ulx asay"
"ulx clientmenu"
"ulx help"
"ulx menu"
"ulx motd"
"ulx psay"
"ulx thetime"
"ulx usermanagementhelp"
"ulx votemap"
"ulx who"
}
}
"superadmin"
{
"allow"
{
"overcomeimmunity"
"ulx addgroup"
"ulx adduser"
"ulx adduserid"
"ulx cexec"
"ulx ent"
"ulx exec"
"ulx groupallow"
"ulx hiddenecho"
"ulx logchat"
"ulx logdir"
"ulx logecho"
"ulx logevents"
"ulx logfile"
"ulx logspawns"
"ulx logspawnsecho"
"ulx luarun"
"ulx maul"
"ulx rcon"
"ulx removegroup"
"ulx removeuser"
"ulx removeuserid"
"ulx renamegroup"
"ulx setgroupcantarget"
"ulx userallow"
"ulx voteecho"
}
"inherit_from" "admin"
}
"admin"
{
"can_target" "!%superadmin"
"allow"
{
"ulx adminmenu"
"ulx armor"
"ulx ban"
"ulx banid"
"ulx banmenu"
"ulx blind"
"ulx bring"
"ulx chattime"
"ulx cloak"
"ulx csay"
"ulx freeze"
"ulx gag"
"ulx gimp"
"ulx god"
"ulx goto"
"ulx hp"
"ulx ignite"
"ulx jail"
"ulx kick"
"ulx map"
"ulx mapsmenu"
"ulx mute"
"ulx noclip"
"ulx physgunplayer"
"ulx playsound"
"ulx ragdoll"
"ulx reservedslots"
"ulx rslots"
"ulx rslotsmode"
"ulx rslotsvisible"
"ulx send"
"ulx showmotd"
"ulx slap"
"ulx slay"
"ulx spawnecho"
"ulx spectate"
"ulx sslay"
"ulx strip"
"ulx teleport"
"ulx tsay"
"ulx unban"
"ulx unblind"
"ulx uncloak"
"ulx unfreeze"
"ulx ungag"
"ulx ungimp"
"ulx ungod"
"ulx unignite"
"ulx unigniteall"
"ulx unjail"
"ulx unmute"
"ulx unragdoll"
"ulx veto"
"ulx vote"
"ulx voteban"
"ulx votebanminvotes"
"ulx votebansuccessratio"
"ulx votekick"
"ulx votekickminvotes"
"ulx votekicksuccessratio"
"ulx votemap2"
"ulx votemap2minvotes"
"ulx votemap2successratio"
"ulx votemapenabled"
"ulx votemapmapmode"
"ulx votemapmintime"
"ulx votemapminvotes"
"ulx votemapsuccessratio"
"ulx votemapvetotime"
"ulx votemapwaittime"
"ulx welcomemessage"
"ulx whip"
"ups disableplayers"
"ups globaldisable"
"ups miscdeletionaccess"
"ups_damage"
"ups_freeze"
"ups_physgun"
"ups_remove"
"ups_tool"
"ups_unfreeze"
"ups_use"
"ups_vehicle"
}
"inherit_from" "operator"
}
"operator"
{
"can_target" "!%admin"
"allow"
{
"ulx seeasay"
}
"inherit_from" "user"
}
Experiencing God's grace one day at a time.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Questionable security rights at 'user' level
« Reply #12 on: July 01, 2010, 05:07:50 pm »
Bump around, bump around, bump around now-- bump up! bump up! get dowwn!

Oh.. I mean.. Awesome :D

Also, Megiddo, I wanted to pitch an idea where with every access string we include a type.. e.g. cmd, cvar, xgui (for my own) etc.. It would help for sorting things in XGUI later :D
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline jay209015

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 934
  • Karma: 62
    • Dev-Solutions
Re: Questionable security rights at 'user' level
« Reply #13 on: July 02, 2010, 07:35:37 am »
Bump around, bump around, bump around now-- bump up! bump up! get dowwn!

Oh.. I mean.. Awesome :D

Also, Megiddo, I wanted to pitch an idea where with every access string we include a type.. e.g. cmd, cvar, xgui (for my own) etc.. It would help for sorting things in XGUI later :D
     - I wouldn't personally suggest that in the configs, but if there were some function where you could pass the access string and it return a type that would be a different story.
An error only becomes a mistake when you refuse to correct it. --JFK

"And thus the downfall of the great ULX dynasty was wrought not by another dynasty, but the slow and steady deterioration of the leaders themselves, followed by the deprecation of the great knowledge they possessed." -Gmod, Chapter 28, verse 34 -- Stickly

  • Print