Same security model for user- and server-provided CSM?

[Yvanhoe]

Hello,

I am a bit confused, and from reading some conversations, it looks like I am not the only one, by the assumptions over CSMs. I feel like the definition and the security model of CSM shifted in the last two years.

Nowadays, it is mostly about running scripts sent by the server, so CSMs (or SSCSM as I sometime see server-provided CSMs called) are aggressively sandboxed, because you never know when you are going to connect to an hostile server, and you don't want to offer remote execution vulnerabilities.

It looks like, however, that before SSCSM were discussed, CSMs were mostly user-provided, and as such understood to contain the same security risk for the user than installing a server mod has, for a server administrator. One could see a local CSM as an alternative to forking the client and painstakingly adding modifications in C++.

I kind of miss this second model. I am currently exploring the possibility of interfacing a good text editor with minetest (probably through an atom plugin) but the current CSM security model makes it extremely difficult for (I feel) no good reason.

I'd like the ability to add local mods to `secure.trusted_mods`. I understand that you probably don't want to give that option to server-provided mods, but user-provided ones should have it.

Currently I have identified two ways to communicate with another process, both pretty hacky:

• The minetest-mumble-wrapper captures minetest's process stderr and reads outputs by a CSM to get the player position. It is uni-directional and uselessly fills logs.
• I can read the `client/mod_storage` file and hack some bi-directional communication there. Unfortunately there is no locking mechanism (it is a json file, not a .sqlite file) and quick reactions would require parsing the whole file (that could quickly grow in size) several times a second. Things can get messy quickly with two process trying to write to the same file.

Right now I think I'll use option 2, but I wish there would be a way for CSMs to open a channel for interacting with local processes. Actually, I am really considering making a PR to allow local mods that have been manually whitelisted in `secure.trusted_mods` (and that are checked to not be overwritten by SSCSM with the same name) to requires an insecure environment, like server mods currently can, but I got the impression that this issue was a bit hot. What do people here think?

[rubenwardy]

The intention for client-side scripting is to allow games and mods to have further capabilities that were not possible before. User-provided mods are a by-product. Eventually you'll be able to program custom GUI elements, animate entities, and more. See this page: https://dev.minetest.net/Client_scripting_plans

The sandbox needs to be much more secure than the server-side sandbox, and allowing any mods to access an insecure environment is a massive reduction in security. This fact is mostly ignored for servermods, as there is not usually any capability to do remote execution. Perhaps client-provided mods could run in an entirely separate Lua environment, in which case this feature could potentially be added

[Yvanhoe]

Ah ok, that was the other way around, client-side scripting being a side effect of SSCSM. Thanks that clears some things up.

Actually, I think your message also clears another misconception for me. I used to consider that Minetest being presented as a game engine meant that the purpose was to include it into other games, like Ogre, for instance. In this case, having a local scripting engine to give access to the whole internal API and all the external dependencies the dev may want, makes sense.

But I feel the direction minetest is taking is more of a thin client for a variety of games that are server-contained and have to be securely delivered to the client?

If that's the case, how about just allowing CSMs to accept connections from localhost to a local port (set by the client's settings) and maybe use the modchannel API to allow other processes to exchange data?

I don't think it creates additional vulnerabilities and would allow things like an atom plugin or the mumble wrapper to work without adding an unholy stream or messages in the terminal.