Solved bukkit/Plugin security question.

Discussion in 'Bukkit Help' started by james137137, Mar 10, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    james137137

    quick but no so simple question.

    If I allowed admins of my server ftp access to my plugin folder which allowed them access to install plugins,

    is it possible to prevent any plugin from accessing outside and messing around with my system itself?

    I personally don't want to install some virtual machine.
     
  2. Offline

    monaxide

    Theres no way to tell, But id not let them, just tell them to ask u to install plugins, its not secure as they can put in any plugin, alot of plugins could be a forceop, id say dont do it.
     
  3. Offline

    Onionbro

    I wouldn't want james and others to get the wrong impression. If you download your plugns from dev.bukkit they are reviewed before approval. You only run a risk of "force op" if your plugins are obtained elsewhere. Where james is running a risk is that his admins might upload unwanted/checked plugins.

    james137137 if you can't trust them don't give them access.
     
  4. Offline

    monaxide

    Onionbro I only said that because if they betray him they could just as easily go on any griefing site and get a malicious plugin to forceop themselves.
     
  5. Offline

    james137137

    ok I'm more worried about being able to access my computer. is there anyway to prevent this?
     
  6. Offline

    asofold

    Without a SecurityManager in place the plugins might access all your systems files that the user which java runs with can access, and probably even alter them.

    If you don't run the server with a security manager (might need to add command-line options and a policy file), they can do a lot of things, even with one they could install some spam bot, or as mentioned above force op etc.

    Especially if you run it at home i would not do it. For a rented dedicated server ... maybe, depends on people / concept etc.

    Edit: Research into security manager + command line + policy file etc. if you really want to allow such.
     
  7. Offline

    drtshock Retired Staff

    Like asofold said. There are many worse things people can do with plugins than a force op. Especially with ftp access. Like others have said, only add them if it's necessary and you trust them.
     
Thread Status:
Not open for further replies.

Share This Page