KingJ Posted March 27, 2009 Share Posted March 27, 2009 Many servers now allow the use of plugins to extend the functionality of the server. However, this effectively allows clients to execute any code they wish, good or bad on your system. I know TCA has an option to prevent the upload of certain file extensions, and I could simply prohibit the upload of DLL files, but then we would then need to provide continually up to date version of all mods to all servers - quite a bit (I also host non-valve games which use quite a few 3rd party plugins). This can also be an inconvenience for clients. By default, TCA appears to run as the NT AUTHORITY\SYSTEM user, allowing full unrestricted access to all files on the system, a simple delete command could cause a lot of pain or allow a backdoor to be opened. What would be more appropriate is for TCA to run servers under it's own user, or a restricted user to limit any damage that a plugin can do. Sadly, unlike linux, Windows users don't have the option of chrooting applications to their home directory, thus only allowing them to destroy themselves (which isn't a problem!). As implementing this will likely take a lot of work on the behalf of the TCA devs, I do not foresee such a feature being implemented. What strategies do you use to protect against clients uploading malicious DLLs and executing code on your server? Link to comment Share on other sites More sharing options...
HIS-MOTHER Posted March 27, 2009 Share Posted March 27, 2009 What strategies do you use to protect against clients uploading malicious DLLs and executing code on your server? We restrict .dll uploads and keep ours mods up to date. Link to comment Share on other sites More sharing options...
nosit1 Posted March 27, 2009 Share Posted March 27, 2009 There's a few DLL's for our game that users need, but we have to restrict them because of DLL's like Mattie's Systems and gm_shellexe. Link to comment Share on other sites More sharing options...
KingJ Posted March 28, 2009 Author Share Posted March 28, 2009 I guess disabling DLL uploads is my only option. I already keep MM and SM up to date for CSS, TF2 and L4D - i'll just have to expand it to all games now. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.