Forum

> > Off Topic > Stop Lua entering other folders using Linux
Forums overviewOff Topic overviewLog in to reply

English Stop Lua entering other folders using Linux

15 replies
To the start Previous 1 Next To the start

old Stop Lua entering other folders using Linux

Conscience
User Off Offline

Quote
Hello, before I explain the problem I want to note that I did not know if I should put this in Counter-Strike 2D section because this is generally about Linux. My apologies if this is not the case, please move my thread if I posted in the wrong section.

My problem is I'm trying to stop Lua entering folders it's not allowed to using Linux permissions (I'm not a genius with Linux, but I hope it works anyway).

Lua as we all know can open, read and write into files whenever it feels like it. I don't want that, so let me explain what I want:

I have two folders, let's call them the following:
1
2
/home/user1/cs2d/server1
/home/user2/cs2d/server2
What I want is server1 not being able to get into server2. I've tried messing around with permissions but nothing seems to work how I want it to. I've had a problem that server1 could not do anything, even starting the cs2d_dedicated so I changed the permissions for that file only so it could run. That worked, but Lua could not even start (dofile), so I changed that as well but became stuck with the problem that game modifications such as saved files won't work. Yet again I changed the permissions so the lua folder, let's call it:
1
/sys/lua/mod
Could dofile other Lua files and create and manage save files for players. But then I realised /home/user1/cs2d/server1 could go into /home/user2/cs2d/server2 via the /sys/lua/mod folder - So now I'm back at stage 1.

If anyone here has a great understanding of Linux Debian Wheezy then be my guest and help me as must as you can. As I said before, I am no genius with Linux so please explain as basic as possible (posting commands would be a great help!)

Thank you

old Re: Stop Lua entering other folders using Linux

Infinite Rain
Reviewer Off Offline

Quote
You could re-write io functions. Like that:

1
2
3
4
5
6
7
8
9
_ioOpen = io.open

io.open = function(string, property)
	if string == "<whatever forbidden path is>" then
		return nil
	else
		return _ioOpen(string, property)
	end
end
May be a solution, my apologies if that doesn't help.

old Re: Stop Lua entering other folders using Linux

VADemon
User Off Offline

Quote
Running in Windows:
1
io.open("somefile.txt", "w") -- will open a file in the same directory
1
io.open("../somefile.txt", "w") -- will open a file in the directory above
1
io.open("/../somefile.txt", "w") -- will open a file in the current drive, e.g. D:\somefile.txt
And the only way is to use OS' permissions
http://en.wikipedia.org/wiki/Directory_traversal_attack
Something to look at: https://www.youtube.com/watch?v=z0cjQgZpdOE
http://www.unrealsoftware.de/img/test/../../index.php

old Re: Stop Lua entering other folders using Linux

EngiN33R
Moderator Off Offline

Quote
@user Infinite Rain: And now read user VADemon's post and tell me where he mentioned that the code only works on Windows. The code and the theory holds true for Linux, too, so no need to be rude.

Essentially, user Conscience would have to either rewrite the default function to exclude certain paths (could potentially use regex to cover a certain range) or play around with Linux's permissions. The latter seems more viable, of course.

Now I don't have Linux handy right now, but making a user who only has access to a certain server directory seems like a good idea. Make their respective users the owners of server1 and server2 and set the permissions of the folders and their contents recursively to 700. That way, no one except the owners will be able to do anything in the folders, theoretically not even cd into them.

However, thanks to a fucked up epiphany that struck me in writing this post, I think you could also do this:

• Have a cs2d_dedicated outside the scope of all servers
• Make a shell script that starts the server with -path path/to/server1, so it would use server1 as the working directory
• In that shell script, add chroot $! path/to/server1 after starting the server to confine it to server1 only
• Disallow reading and writing to that shell script, only allow executing it (e.g. chmod start.sh 100)

Again, this is hacky and probably not a very good idea, but it looks like it might work. The user method still seems like the better way.

old Re: Stop Lua entering other folders using Linux

Starkkz
Moderator Off Offline

Quote
@user Apache uwu:
1
2
3
4
function replaceFunction(a, b)
return function (...) return b(a, ...) end
end
io.open = replaceFunction(io.open, function (_ioOpen, path, mode) end)
I made it on mobile so I have no idea if it works. It replaces io.open with an empty function, the original function should be pushed as the first argument of the new function (The global function defined in this variable is eliminated and the new one keeps the pointer of it in the upvalues)

old Re: Stop Lua entering other folders using Linux

DannyDeth
User Off Offline

Quote
user Infinite Rain has written
1
2
3
4
5
6
7
8
9
_ioOpen = io.open

io.open = function(string, property)
	if string == "<whatever forbidden path is>" then
		return nil
	else
		return _ioOpen(string, property)
	end
end

And when malicious person realises it doesn't work.
1
for k,v in pairs(_G) do print( k, v ) end
To the start Previous 1 Next To the start
Log in to replyOff Topic overviewForums overview