Discussion about client-side modding

User avatar
Linuxdirk
Member
 
Posts: 1525
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Mon May 22, 2017 12:43

tjnenrtn wrote:Let me pose a question: what possibly could be any better for the state of Minetest security and exposing problems than CSM?!

You mean except a security based code audit, or a more detailed permissions system, or SSL connections to servers by default, or more server-side validity checks for client actions?
 

tjnenrtn
Member
 
Posts: 12
Joined: Fri May 19, 2017 23:49
GitHub: tjnenrtn
IRC: tjnenrtn
In-game: tjnenrtn

Re: Client-side modding section

by tjnenrtn » Tue May 23, 2017 02:44

  • security based code audit: this would be fantastic, but very expensive and certainly way beyond the scale of resources available to this volunteer-run project, maybe crowdfunding is an option?
  • more detailed permissions system: extra granularity here would be great, pretty sure I've seen improvements discussed over on git, but I'm not sure how much is actually gained from this in terms of server security posture
  • SSL by default: would be awesome and maybe this is possible now with Let's Encrypt, but as you know provides no protection whatsoever from client-side exploits which is the context of this discussion
  • server-side validity checks: this one! imho this is an argument for CSM, not against as it is now the very thing driving devs to focus on these concerns; already improvements are landing such as private meta, I'm sure more will follow

There are some valid concerns about CSM, sure, but the FUD and hostility are completely uncalled for (not to mention cringe-worthy) given the huge amount of free work done by volunteers to make this game.
 

User avatar
kaadmy
Member
 
Posts: 701
Joined: Thu Aug 27, 2015 23:07
GitHub: kaadmy
IRC: KaadmY
In-game: KaadmY kaadmy NeD

Re: Client-side modding section

by kaadmy » Tue May 23, 2017 14:41

Well...
Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
I could literally add one line to the client give myself all movement/rendering privileges.
Never paint white stripes on roads near Zebra crossings.

Pixture
 

User avatar
Linuxdirk
Member
 
Posts: 1525
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Tue May 23, 2017 16:35

kaadmy wrote:Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.

Then on server side check all stuff a client does against a list of things a client could do and if it differs: kick.
 

User avatar
DS-minetest
Member
 
Posts: 969
Joined: Thu Jun 19, 2014 19:49
Location: in front of my pc (which is at home)
GitHub: DS-Minetest
In-game: DS

Re: Client-side modding section

by DS-minetest » Fri Jun 02, 2017 15:38

What to do with a mod that can be server- and client-side?
viewtopic.php?f=9&t=17780
Post it at both sections?
Do not call me -minetest.
Call me DS or DS-minetest.
I am German, so you don't have to pm me English if you are also German.
The background is a lie.
 

User avatar
GreenDimond
Member
 
Posts: 1126
Joined: Wed Oct 28, 2015 01:26
Location: Yes.
GitHub: GreenXenith
IRC: GreenDimond
In-game: GreenDimond

Re: Client-side modding section

by GreenDimond » Fri Jun 02, 2017 17:15

Doesn't the use of "." for CSM commands create problems for chat with things like
...

._.

.-.

or does it check for a command identical to the one qued and only send it as a command if a match is found?
My YuTube channel | I moderate the HOMETOWN Server. | Click here to see my (6) mods! ~Using gradient signatures since 2017. ✂️- - - - -
 

User avatar
paramat
Developer
 
Posts: 3135
Joined: Sun Oct 28, 2012 00:05
Location: UK
GitHub: paramat
IRC: paramat

Re: Client-side modding section

by paramat » Sat Jun 10, 2017 23:04

nrz wrote:For the ores, we are thinking about a better ore creation

Don't worry we're not, i wouldn't allow it and the ideas were ridiculous. Changing ore generation due to the cheat problem of CSM would have been a solution completely the wrong way around.

Anyway now many server owners and others are speaking up about other problems CSM causes, and restrictions on client-provided clientmods are being coded. Unfortunately this is being done too late, after a release that enables these problems to happen. There was discussion and strong objections raised long before release in this thread and the oredetect mod thread, so there is no excuse, the devs who were working on CSM ignored the concerns.

As a dev i am sorry i did not keep a close watch on what they were doing, i trusted them, but now wish i had made a fuss earlier. So here's my issue thread at Github https://github.com/minetest/minetest/issues/5915
Celeron55's post:
"Current CSM is bad.
The design of Minetest is to give all possible control to servers."

As for the usefullness of CSM, it seems to me that the most useful use of it is with server-provided clientmods, this is consistent with the design of MT being that the server provides and controls as much as possible.
It is strange then that this has been left to last, and has even been described as difficult to acheive. However apparently, originally this was considered the primary purpose of CSM.
So the implementation of CSM so far has been a disaster.

Unfortunately the new restrictions being coded will only be enforceable for new clients.
The thread for the restrictions PR is here https://github.com/minetest/minetest/pull/5930
Luckily for CSM 0.5.0 is coming up in 6 months and we were already planning to break backwards compatibility then, so this will allow servers to enforce restrictions on CSM by forcing all clients to upgrade to 0.5.0.
We might release a 'point release' 0.4.16.1 in 1-2 months after CSM restrictions are coded, but old clients will still be able to get around this.
 

User avatar
TumeniNodes
Member
 
Posts: 2422
Joined: Fri Feb 26, 2016 19:49
Location: in the dark recesses of the mind
GitHub: TumeniNodes
IRC: tumeninodes
In-game: TumeniNodes

Re: Client-side modding section

by TumeniNodes » Sat Jun 10, 2017 23:20

Is it possible to just wipe csm altogether in a point release?
It is still so new, that it has not been exploited much (aside from for hacking) and causing problems.

And possibly revisit the idea once it is more developed and tested?

mistakes happen, they are inevitable...
quality shows in how quickly they are addressed ; )
My brain, is AES256 encrypted, even I don't know wth I'm thinking...
 

red-001
Member
 
Posts: 205
Joined: Tue Jan 26, 2016 20:15
GitHub: red-001
IRC: red-001

Re: Client-side modding section

by red-001 » Sat Jun 10, 2017 23:27

Thank **** god that CSM mod sending hasn't been implemented for 0.4.16. I'm fairly certain considering the current state of CSM security that someone would have found an exploit in the sandbox that would allow them to attack the client. And once you have that sort of security exploit it's even harder to deal with then the current situation.
 

User avatar
GreenDimond
Member
 
Posts: 1126
Joined: Wed Oct 28, 2015 01:26
Location: Yes.
GitHub: GreenXenith
IRC: GreenDimond
In-game: GreenDimond

Re: Client-side modding section

by GreenDimond » Sat Jul 01, 2017 15:45

We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?
My YuTube channel | I moderate the HOMETOWN Server. | Click here to see my (6) mods! ~Using gradient signatures since 2017. ✂️- - - - -
 

User avatar
harmony
Member
 
Posts: 409
Joined: Tue Jun 20, 2017 22:16
Location: 고향 ^-^
IRC: ynomrah
In-game: ynomrah

Re: Client-side modding section

by harmony » Tue Jul 11, 2017 17:35

GreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?

what are CSMs for?
저는 방탄소년단 를 사랑해요!!! 아미!! 김남준,김석진,민윤기,정호석,박지민,김태형,전정국,방탄소년단!
저는 블랙핑크 를 사랑해요!!! 블링크!! 김지수,김제니,박채영,리사(ปราณ ปริ ยา มโน บาล)
 

User avatar
azekill_DIABLO
Member
 
Posts: 7381
Joined: Wed Oct 29, 2014 20:05
Location: Under my desk (but I can't see my monitor now X'[ )
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Wed Jul 12, 2017 11:06

they are mod that are only handled by client, they nearly don't interact with the server!
【OMICRON】 ; 【MILA】 update ; 【Rec_a_MT】 ; 【BB,HD】 update ; 【▶ Youtube】 This person worked too hard to be forgotten: Feedback me!
 

wilkgr76
Member
 
Posts: 831
Joined: Wed Feb 18, 2015 02:44
GitHub: wilkgr76

Re: Client-side modding section

by wilkgr76 » Thu Jul 27, 2017 05:56

EDIT: Whoops, wrong thread. My apologies! Message has been removed
N/A
 

User avatar
Lejo
Member
 
Posts: 399
Joined: Mon Oct 19, 2015 16:32
GitHub: Lejo1
In-game: Lejo

Re: Client-side modding section

by Lejo » Tue Aug 01, 2017 16:46

In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)
 

User avatar
DS-minetest
Member
 
Posts: 969
Joined: Thu Jun 19, 2014 19:49
Location: in front of my pc (which is at home)
GitHub: DS-Minetest
In-game: DS

Re: Client-side modding section

by DS-minetest » Tue Aug 01, 2017 17:35

Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.
Do not call me -minetest.
Call me DS or DS-minetest.
I am German, so you don't have to pm me English if you are also German.
The background is a lie.
 

User avatar
ManElevation
Member
 
Posts: 815
Joined: Tue Aug 02, 2016 22:04
Location: Madrid,Spain
GitHub: ManElevation
IRC: ManElevation
In-game: ManElevation

Re: Client-side modding section

by ManElevation » Thu Aug 03, 2017 23:43

DS-minetest wrote:
Lejo wrote:In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.

:/
 

User avatar
azekill_DIABLO
Member
 
Posts: 7381
Joined: Wed Oct 29, 2014 20:05
Location: Under my desk (but I can't see my monitor now X'[ )
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Fri Aug 18, 2017 10:10

Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...
【OMICRON】 ; 【MILA】 update ; 【Rec_a_MT】 ; 【BB,HD】 update ; 【▶ Youtube】 This person worked too hard to be forgotten: Feedback me!
 

User avatar
Linuxdirk
Member
 
Posts: 1525
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Fri Aug 18, 2017 12:25

azekill_DIABLO wrote:Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...

paramat contacted some of the authors and asked them to remove their mods from the forums because of security reasons.

CSM was rushed into release anyways and I hope that it will be completely re-implemented using a feature-based whitelist.
 

User avatar
azekill_DIABLO
Member
 
Posts: 7381
Joined: Wed Oct 29, 2014 20:05
Location: Under my desk (but I can't see my monitor now X'[ )
GitHub: azekillDIABLO
In-game: azekill_DIABLO
 

User avatar
jordan4ibanez
Member
 
Posts: 1893
Joined: Tue Sep 27, 2011 18:44
Location: Rhode Island, USA
GitHub: jordan4ibanez
IRC: jordan4ibanez
In-game: jordan4ibanez

Re: Client-side modding section

by jordan4ibanez » Mon Sep 18, 2017 00:30

Client side hud would be fantastic
If you can think it, you can make it! My Patreon :D
 

User avatar
azekill_DIABLO
Member
 
Posts: 7381
Joined: Wed Oct 29, 2014 20:05
Location: Under my desk (but I can't see my monitor now X'[ )
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Mon Sep 18, 2017 18:17

jordan4ibanez wrote:Client side hud would be fantastic

yes! it can do formspec! why not hud?
【OMICRON】 ; 【MILA】 update ; 【Rec_a_MT】 ; 【BB,HD】 update ; 【▶ Youtube】 This person worked too hard to be forgotten: Feedback me!
 

User avatar
Linuxdirk
Member
 
Posts: 1525
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: Client-side modding section

by Linuxdirk » Mon Sep 18, 2017 18:48

azekill_DIABLO wrote:
jordan4ibanez wrote:Client side hud would be fantastic

yes! it can do formspec! why not hud?

Because it was rushed into release and a lot of important features and the whole “security stack” are missing.
 

User avatar
azekill_DIABLO
Member
 
Posts: 7381
Joined: Wed Oct 29, 2014 20:05
Location: Under my desk (but I can't see my monitor now X'[ )
GitHub: azekillDIABLO
In-game: azekill_DIABLO

Re: Client-side modding section

by azekill_DIABLO » Tue Sep 19, 2017 16:46

oh. i suspected things like that. CSM is still a 'baby'
【OMICRON】 ; 【MILA】 update ; 【Rec_a_MT】 ; 【BB,HD】 update ; 【▶ Youtube】 This person worked too hard to be forgotten: Feedback me!
 

User avatar
Inocudom
Member
 
Posts: 3009
Joined: Sat Sep 29, 2012 01:14
IRC: Inocudom
In-game: Inocudom

Re: Client-side modding section

by Inocudom » Sat Nov 25, 2017 04:03

How about client-side mods that can increase color saturation and add depth-of-field?
My whole legacy is an abomination.
 

Sires
Member
 
Posts: 150
Joined: Mon Jan 02, 2017 21:00
Location: Hue knows...
GitHub: Sires0
IRC: Sires
In-game: Sires

Re: Client-side modding section

by Sires » Sun Nov 26, 2017 15:11

GreenDimond wrote:We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?


In my opinion, I hope some dev consider it but ik I won't :P
Welp, I think that the server should have something like "Disable undocumented clientmods", each CSM could have some pretty spefic tags about what is adds, like a documentation.txt that contains:
weather
rain
snow
Then the server can choose to disable certain CSMs with the "rain" tag and send it's own CSM for rain for example.
Example 2: In some CSM for fire particles in torches, in the documentation.txt there is:
particles
fire
Then the server disables every client mod with the "fire" and "particles" tag because it already have it's own CSM for that.
That's my idea :)

Also sory bay may anglish, iti is kainda bed
ym6t1ifOmoIXoa0wOI2ZyqyagF7MV2Zs

For the ones reading this, expect a new minetest game soon ;-)

Also, Sires is not pronouncied like Siri, it's from Sir, use he not she(also not it, I'm not a thing :P).

**SORY MAY BED ANGLISH**
 

PreviousNext

Return to Client-side modding



Who is online

Users browsing this forum: No registered users and 1 guest