Is it possible to deny craftbukkit console commands with Unix if the Unix user is not Admin/Root?

Discussion in 'Plugin Development' started by Sheepii, Feb 2, 2015.

Thread Status:
Not open for further replies.
  1. Offline

    Sheepii

    Admin being a root created user with a higher access level for security purposes of only using the minecraft ( I like user security).

    For instance, if I were to give one of my admins access to console, but I took away their privileges to say, /op someone. Is this possible?

    I don't want to deny ConsoleSender completely, please keep this in mind.
     
  2. Offline

    1Rogue

    You would need a form of authentication to either the screen object being run or for every command, either that or you would have to set up profiles for the ConsoleCommandSender and disallow more than one person accessing the console at a given time.

    This would be more easily done using the built-in remote connection, and then verifying details with the ensuing RemoteConsoleCommandSender, for which you could verify different senders based on an authentication command (and different people wouldn't be accessing the same screen).

    Overall this seems a bit silly though, if you're already giving them access to your file system then they can do much worse things than what you'd be able to do through a console.
     
    Last edited: Feb 2, 2015
    Sheepii likes this.
  3. Offline

    pie_flavor

    @Sheepii You could also just use a custom /op, deny all use of the original /op commands, and require a password to use your custom /op command.
     
  4. Offline

    Sheepii

    Well I wouldn't be giving them access to the file system. Unix can take away r/w/x privileges to users based on user permissions. So, I basically take away admins privileges to alter certain plugins (read/write/execute privileges), or read access to folders that I don't want them to access IE server.properties, bungee-cord config, ect.

    I can make it so they don't have access to those files via console and UNIX commands. Which I've done, actually. The reason is, console gives my lead admins the ability to basically start and stop the servers when they need to, edit configuration that have to do with plugins and personal use, such as worldguard/worldedit/various other plugins configs which I allow them to r/w/x via their created user. This is all while being connected to a very large network.


    The problem I'm having is, I have global commands that can be used only recognized as console (because it's the ultimate permission node), and without anything to combat this, I simply can't give my Administrators access to a console.

    Btw thank you for responding, I'll definitely look into what you're saying.
     
  5. Offline

    1Rogue

    If you try using rcon locally (remote connection to yourself on the *nix environment), you can set up this authentication form for the duration of the rcon connection (and simply have a tool that executes and wraps this rcon in unix for the individual user, and don't forget to disable piping input/output).
     
Thread Status:
Not open for further replies.

Share This Page