Solved bukkit/Plugin security question.

quick but no so simple question.

If I allowed admins of my server ftp access to my plugin folder which allowed them access to install plugins,

is it possible to prevent any plugin from accessing outside and messing around with my system itself?

I personally don't want to install some virtual machine.

 

Theres no way to tell, But id not let them, just tell them to ask u to install plugins, its not secure as they can put in any plugin, alot of plugins could be a forceop, id say dont do it.

 

I wouldn't want james and others to get the wrong impression. If you download your plugns from dev.bukkit they are reviewed before approval. You only run a risk of "force op" if your plugins are obtained elsewhere. Where james is running a risk is that his admins might upload unwanted/checked plugins.

james137137 if you can't trust them don't give them access.

 

Onionbro I only said that because if they betray him they could just as easily go on any griefing site and get a malicious plugin to forceop themselves.

 

ok I'm more worried about being able to access my computer. is there anyway to prevent this?

 

Without a SecurityManager in place the plugins might access all your systems files that the user which java runs with can access, and probably even alter them.

If you don't run the server with a security manager (might need to add command-line options and a policy file), they can do a lot of things, even with one they could install some spam bot, or as mentioned above force op etc.

Especially if you run it at home i would not do it. For a rented dedicated server ... maybe, depends on people / concept etc.

Edit: Research into security manager + command line + policy file etc. if you really want to allow such.

 

Like asofold said. There are many worse things people can do with plugins than a force op. Especially with ftp access. Like others have said, only add them if it's necessary and you trust them.