Discussion about client-side modding

[Linuxdirk]

Let me pose a question: what possibly could be any better for the state of Minetest security and exposing problems than CSM?!

You mean except a security based code audit, or a more detailed permissions system, or SSL connections to servers by default, or more server-side validity checks for client actions?

[tjnenrtn]

• security based code audit: this would be fantastic, but very expensive and certainly way beyond the scale of resources available to this volunteer-run project, maybe crowdfunding is an option?
• more detailed permissions system: extra granularity here would be great, pretty sure I've seen improvements discussed over on git, but I'm not sure how much is actually gained from this in terms of server security posture
• SSL by default: would be awesome and maybe this is possible now with Let's Encrypt, but as you know provides no protection whatsoever from client-side exploits which is the context of this discussion
• server-side validity checks: this one! imho this is an argument for CSM, not against as it is now the very thing driving devs to focus on these concerns; already improvements are landing such as private meta, I'm sure more will follow

There are some valid concerns about CSM, sure, but the FUD and hostility are completely uncalled for (not to mention cringe-worthy) given the huge amount of free work done by volunteers to make this game.

[kaadmy]

Well...
Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.
I could literally add one line to the client give myself all movement/rendering privileges.

[Linuxdirk]

Having more secure privilegess is pretty useless, since the client can just ignore specific privileges because they're all checked client-side.

Then on server side check all stuff a client does against a list of things a client could do and if it differs: kick.

[Desour]

What to do with a mod that can be server- and client-side?
viewtopic.php?f=9&t=17780
Post it at both sections?

[GreenXenith]

Doesn't the use of "." for CSM commands create problems for chat with things like

...

._.

.-.

or does it check for a command identical to the one qued and only send it as a command if a match is found?

[paramat]

For the ores, we are thinking about a better ore creation

Don't worry we're not, i wouldn't allow it and the ideas were ridiculous. Changing ore generation due to the cheat problem of CSM would have been a solution completely the wrong way around.

Anyway now many server owners and others are speaking up about other problems CSM causes, and restrictions on client-provided clientmods are being coded. Unfortunately this is being done too late, after a release that enables these problems to happen. There was discussion and strong objections raised long before release in this thread and the oredetect mod thread, so there is no excuse, the devs who were working on CSM ignored the concerns.

As a dev i am sorry i did not keep a close watch on what they were doing, i trusted them, but now wish i had made a fuss earlier. So here's my issue thread at Github https://github.com/minetest/minetest/issues/5915
Celeron55's post:
"Current CSM is bad.
The design of Minetest is to give all possible control to servers."

As for the usefullness of CSM, it seems to me that the most useful use of it is with server-provided clientmods, this is consistent with the design of MT being that the server provides and controls as much as possible.
It is strange then that this has been left to last, and has even been described as difficult to acheive. However apparently, originally this was considered the primary purpose of CSM.
So the implementation of CSM so far has been a disaster.

Unfortunately the new restrictions being coded will only be enforceable for new clients.
The thread for the restrictions PR is here https://github.com/minetest/minetest/pull/5930
Luckily for CSM 0.5.0 is coming up in 6 months and we were already planning to break backwards compatibility then, so this will allow servers to enforce restrictions on CSM by forcing all clients to upgrade to 0.5.0.
We might release a 'point release' 0.4.16.1 in 1-2 months after CSM restrictions are coded, but old clients will still be able to get around this.

[TumeniNodes]

Is it possible to just wipe csm altogether in a point release?
It is still so new, that it has not been exploited much (aside from for hacking) and causing problems.

And possibly revisit the idea once it is more developed and tested?

mistakes happen, they are inevitable...
quality shows in how quickly they are addressed ; )

[red-001]

Thank **** god that CSM mod sending hasn't been implemented for 0.4.16. I'm fairly certain considering the current state of CSM security that someone would have found an exploit in the sandbox that would allow them to attack the client. And once you have that sort of security exploit it's even harder to deal with then the current situation.

[GreenXenith]

We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?

[harmony]

We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?

what are CSMs for?

[azekill_DIABLO]

they are mod that are only handled by client, they nearly don't interact with the server!

[wilkgr76]

EDIT: Whoops, wrong thread. My apologies! Message has been removed

[Lejo]

In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

[Desour]

In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.

[ManElevation]

In the client_lua_api.md there is a methode to set the minetest.conf, but it don't work.
It says: attempt to call global "set" (a nil value)

The documentation is wrong here.

:/

[azekill_DIABLO]

Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...

[Linuxdirk]

Is CSM dead right now? All features and possible mods seem to have been realized... I can't wait for a better API to come...

paramat contacted some of the authors and asked them to remove their mods from the forums because of security reasons.

CSM was rushed into release anyways and I hope that it will be completely re-implemented using a feature-based whitelist.

[azekill_DIABLO]

I hope so :)

[jordan4ibanez]

Client side hud would be fantastic

[azekill_DIABLO]

Client side hud would be fantastic

yes! it can do formspec! why not hud?

[Linuxdirk]

Client side hud would be fantastic

yes! it can do formspec! why not hud?

Because it was rushed into release and a lot of important features and the whole “security stack” are missing.

[azekill_DIABLO]

oh. i suspected things like that. CSM is still a 'baby'

[Inocudom]

How about client-side mods that can increase color saturation and add depth-of-field?

[Sires]

We keep talking about using CSM for weather and such which is a great idea. This does present a problem though. In the future when the server can send clients CSM mods: Say I have a server that uses a custom weather mod that I can send the client to use. If the player uses their own CSM weather mod, you get 2 conflicting weathers and possibly incompatibility. Will the server be able to detect a clients CSMs and pick which ones to allow/disallow? Or just disallow player-chosen client mods completely and send them the ones the server wants them to use? How will it work?

In my opinion, I hope some dev consider it but ik I won't :P
Welp, I think that the server should have something like "Disable undocumented clientmods", each CSM could have some pretty spefic tags about what is adds, like a documentation.txt that contains:
weather
rain
snow
Then the server can choose to disable certain CSMs with the "rain" tag and send it's own CSM for rain for example.
Example 2: In some CSM for fire particles in torches, in the documentation.txt there is:
particles
fire
Then the server disables every client mod with the "fire" and "particles" tag because it already have it's own CSM for that.
That's my idea :)

Also sory bay may anglish, iti is kainda bed