Everyone knows player permissions… Player may do this or that…
But I was recently thinking of a feature that could/should be implemented in Sponge.
For those with Android you know you have to accept the rights an App has, I thought it would be nice to have the same thing in Sponge for plugins.
Example:
MyNonMaliciousPlugin requires rights to the following
Give OP
Stop server
Access the internet
Disable plugins
Listen for movement
,…
That way you could provide a bigger level of control. Of course plugins will be able to bypass this with reflection or ASM but most of these malicious plugins are made by kids who just want ‘OP’
The way I would like to see this implemented would be like a config file (just like player permissions) where you give a specific plugin rights. (Or at least see the rights the plugin needs with a command).
The level of control will never be as good as Android (since you build and work only on that SDK, things like “access the internet” will prob not be possible)
This might be more properly implemented at the level of downloading/installing the plugin. Android uses code signing to verify that the code hasn’t been modified, I’ve been hoping that at some point a plugin system would support code signing to prevent malicious builds of plugins floating around.
I was more thinking of: In order to access .setOp() (as an example) you would need a specific permission
It doesn’t have to be fancy, its just to stop the script kiddies from creating a ForceOP or stopServer plugin
Yeah, but that can’t be solved well in java, it’d be too easy to bypass from my experience with Java. I like the idea of trying to focus all distribution from a trusted source that reviews submissions prior to publishing them as downloads. A force op plugin needs to be installed on purpose, so it’s hard to find someone installing one without meaning too or at least being mislead about the plugin they downloaded.
I guess you could implement such a system with a SecurityManager. This includes usage of reflection, so bypassing it is not that easy. However working with a security manager is quit hard for developers and results in complicated, sort of ugly code. Trusted source solutions might be a lot easier to implement.
If this is implemented into Sponge, it will make Sponge slower (depending on the implementation). If a system like this is approved, I’d put it into whatever we will have for plugin distribution.
This won’t work after a couple of weeks. Someone will write an abstraction lib to ASM and everyone will use it to easily access those methods without needed permissions.
Let’s not start accusing people of stealing ideas in such an immature and obnoxious way… Of course OP’s submission is a bit similar to that post you mentioned. Also, Android is not run on Java… Android applications are written in Java…
I like the idea and benefits of such a system. But I’m afraid the system could either be easily bypassed and therefore giving a false sense of security, or become very complex to deal with as a developer.
However, maybe a solution could be to add such a function to a distribution system. This way, all plugins would have to explicitly state certain security relevant functionalities, giving the user a clear overview on what it does.
@bob7l I don’t think that’s been confirmed, just likely. I’d think they’d need to get a few more staff members for that first.
Aside from that, I’m rather against this whole idea. It would be nice for those who just stick any unsafe plugin they find on their server, but that’s just user error in my opinion, and shouldn’t be tasked to the mods to help make your own server safer if you do that.
Just use mods from an official repo when it’s available. If the developer is transparent, any iffy code or access will be mentioned and explained somewhere.
It also does seem the idea is more inclined to the download page, but I see what you mean by having permissions that can dynamically deny or allow a plugin access to certain things, although this just complicates the development process and forces us to put in a lot more error checking. I’m fine with the “if you install my plugin, you agree to let it do whatever it needs to do” idea at the moment.
I don’t like this idea at all. Plugins should be centrally approved and not have to ask for permissions, or else we will have really skeptical server owners. I.e. plugin has a soft dependancy so needs to access the internet.
“Omg it’s trying to hack me run.”
iIt isn’t lilely that enhancing plugin security will happen in the same way Android handles application security. For starters, Android is a customized Virtual Machine where most of the standard Java libraries do not exist, and therefor, performing certain tasks do in fact require going through the customized security system. To replicate this in a Minecraft Server where the standard Java libraries are available, it’s relatively easy to bypass most attempts at security permission checks. Lastly, as some people have said before, it should not be the API’s job to make sure a plugin is not doing something potentially dangerous, it’s the developer and the server administrator’s job.
This is mostly my opinion, so take it for what it’s worth.
I have to agree with this, it would be very hard to make a permission system that would be able to catch all. If the sponge core team ever plans on making a plugin repo like bukkit dev, then the review process alone should be enough for making sure malicious plugins don’t go through.
And like Pixel said, permissions don’t achieve much except make paranoid server administrators.