Jump to content

Server Plugin Security


KingJ

Recommended Posts

Many servers now allow the use of plugins to extend the functionality of the server. However, this effectively allows clients to execute any code they wish, good or bad on your system. I know TCA has an option to prevent the upload of certain file extensions, and I could simply prohibit the upload of DLL files, but then we would then need to provide continually up to date version of all mods to all servers - quite a bit (I also host non-valve games which use quite a few 3rd party plugins). This can also be an inconvenience for clients.

 

By default, TCA appears to run as the NT AUTHORITY\SYSTEM user, allowing full unrestricted access to all files on the system, a simple delete command could cause a lot of pain or allow a backdoor to be opened.

 

What would be more appropriate is for TCA to run servers under it's own user, or a restricted user to limit any damage that a plugin can do. Sadly, unlike linux, Windows users don't have the option of chrooting applications to their home directory, thus only allowing them to destroy themselves (which isn't a problem!). As implementing this will likely take a lot of work on the behalf of the TCA devs, I do not foresee such a feature being implemented.

 

What strategies do you use to protect against clients uploading malicious DLLs and executing code on your server?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use