 |
 |
|
|
|
|
|
| Author |
Message |
Marilla
Joined: 02 Feb 2006
Posts: 329
|
 Posted: Wed Dec 06, 2006 7:36 pm Post subject: |
 |
|
First, is a very big issue of trust, with me. Under NO circumstances at all would I accept someone to be a scripter who has not already been a staff member on my shard for some time, and who has shown that they are completely trustworthy, and have the proper aptitude. In turn, I also do not accept ANY staff members who have not been players for a long time, and who did not show aptitude and trustworthiness as a player. Finally, I don't bring people on as staff (and, therefore, scripter) if they've ever asked to do it. To me, the best candidates for staff and scripters are people who have the abilities and creativeness, but who really don't want to do it... people who have to be talked into it by having it explained to them what cool things they could accomplish, over and above what they already do as players.
I know your question was not about picking staff members, but to me, a scripter is simply something of a specialized staff member, that in some ways, has higher access. So, just as I would never accept a player 'off the street' to be a staff member, I would also never accept anyone 'off the street' to be a scripter, either. I think this is something that lots of shard admins really go wrong on, with both staff and scripters, so I'm taking a lot of time to go into it; but I think trust takes time to earn, and I think it's only valid to earn it when they don't know they are 'acting' for an evaluation to come in the future. So, for us; every person we've ever asked to be staff or to help with scripting, it is always someone who never breathed a word of it themselves.
Once you do decide to give someone some access to work on scripting and such, there are a couple of what I feel are 100% iron-clad rules, and then there are some 'steps' as far as how to let them in to things.
Rules rules rules!
Don't give them access to the operating system. Ever. Do not give them the ability to have a full, interactive login on the server. Whatever operating system you are using, you can carefully assign them their own, unique user login, and then give that login only the exact rights they need to do their job. In fact, I recommend that you actually have that be nothing at all. That is, I recommend your scripters do not have ANY direct access to your server at all, but instead, you give them the files that need separately, and they send you their completed work. Personally, I have never gone beyond that level of access with anyone.
But if you do choose to give them some direct access, (or, for deciding what information you should send them...) here are some guidelines about what they should not have access to.
They should not have any rights to overwrite executable files. They don't need to be touching the pol, uoconvert or ecompile binaries. Perhaps they can have execute-only privs on uoconvert or ecompile, assuming you've decided to give them that level of access, but they should never have write permissions to it. No matter what operating system you are on, it's elementary to limit access to files (specific, or a whole directory) based on users.
They should never have even read-only rights to the data directory. Whether by accident, ignorance or purpose, they can really - pardon my language - but screw your shard with such access. Even with read-only access; You may think that because you don't store passwords in the account file, for instance, that you have nothing to fear there. But most people use trivial passwords for their account, and while no one is going to be able to figure out the password from the hash info, they can do something much easier: take a hacking dictionary, and apply the hashing algorithm to it. For example, take the word 'password', hash it using the same algorithm that POL uses, and see if it matches anyone's password in the accounts.txt file. There are programs that are easy to get and use that automate this process.
If you have a dev-type person that TRULY needs the real data from the shard, here's one possible solution: alter ALL of the account entries (via a Perl script or some other program) to have all the same old-style, plain text passwords, and remove all of the hash entries. POL -should- convert all the 'new' passwords into hashes, making them all the same thing, so your dev can test with that data, but will never know the real passwords. I've never had to do this, though, and it's best if it can be avoided.
I think you also have to look at the security perhaps not only with an eye toward purposeful harm, but accidental or ignorant harm. If you give someone direct access to the shard files, and ability to compile scripts, maybe they are perfectly trustworthy - but maybe they aren't aware of some quirk of eScript or POL itself, and maybe they implement a script without your knowledge that crashes the shard, locks it up, or corrupts some long-standing custom system you have. I have one person that does scripting, and a number of people that have altered scripts and worked on configuration issues over a long span of time. I trust all of those people entirely. However, it's not their shard; it's mine. Ultimately, I'm the one responsible for everything that gets put in. Call me a control freak (I do!), but that means I never put any file onto my production shard until I've vetted it myself.
In this, I go back to something I mentioned right at the start: time is an important factor here. The more time you see someone's scripting work (talking months and years here - not days and weeks), the more you can trust their work to meet your standards of quality. And the more time goes on where you don't see these people pulling little drama queen stunts when they don't think you are looking, stabbing others behind the back, or doing other things that should be very clear indicators that they are not to be trusted, well; the more you can trust them.
But it takes time - real time - and a willingness to understand and believe that if someone does something to someone else, they'll do it to you, as well. The fact that they say or seem to have justification for what they did to someone else just means, well... it means that everyone else will also be convinced that when they abuse your trust, they also had a good reason for it.
So.. umm... yeah  |
|
 |
|
|
|
|
|
|
|
|
|
| Author |
Message |
Marilla
Joined: 02 Feb 2006
Posts: 329
|
| Posted: Wed Dec 06, 2006 9:39 pm Post subject: |
|
|
| Yukiko wrote: | | I was curious about how much of your scriptset do you make available to your scripters? |
I think you asked that in the first post, and I just did not get around to commenting on it. D'oh! 
That's probably the most difficult issue. My main scripter gets basically the entire shard's files; I have a little prog that copies the directory structure and .src, .inc and .cfg files in them, and zips them up to send. He's the only one with access to that; not because I trust any one else less (and I don't), but just because he's the only one who works on a broad enough range of stuff to make it needed for him to have that access.
Generally, I send people only the exact files they need to work on. Due to includes, it's not always easy to do when it's scripts they may be working on.
If I had more people working more regularly on things, I think I would have to work out a system where they would be working on specific packages or groups of packages. I would alter my little snarfing/zipping program to enable me to specify which dirs they should get, and then add in any includes that might be specific to what they need to do. (I try to keep most of my includes in packages, so in many cases for me, I might be able to get away with sending them only a couple includes in addition to the package(s)).
It can definitely be a pain to 'limit' access in this way, but I think it can serve other purposes; It keeps you more 'hands on' for a while, by simple necessity. It can keep them from a desire to wander to projects maybe you didn't really want them fussing with, just yet.
As they do more for you, and you know that they are competent and trustworthy, you'll also get more tired of being so picking about what they have access to. Oh... also, side note; One thing you could do to make access a bit easier than the quasi-manual zipping I do is to give them read-only FTP Access with their own user account, and be sure to limit them only to files they are meant to see. Give them rights to directories they need access to (only for reading), and if any of those files have private info or files you don't want them to have access to, specifically deny it.
Another option you could try; If I recall correctly, the first couple things that the scripter I have now did were completely stand-alone. That's a good way to start to get an idea if they have any clue what they are doing |
|
|
|
|
|
|
|
|
|
|
|
| Author |
Message |
Marilla
Joined: 02 Feb 2006
Posts: 329
|
| Posted: Wed Dec 06, 2006 11:43 pm Post subject: |
|
|
*nods* I don't like running anything at all extra on mine, either. If you by any chance already have IIS running on any machine that is behind the firewall, you could use that. If IIS is already running a web site, adding the FTP Service really isn't much extra at all.
For my own access to my production shard, I have a firewall and VPN, and then a private FTP server behind them. Though it's on a different server on the network, I do ALL my file access (web, DB and game servers) through that single FTP service, run by IIS. I just have virtual FTP directories set up from the FTP server to the appropriate locations on the other systems, as needed. So none of the other servers need to have FTP running (one has a public FTP server for people that have fan sites we host, but that's it).
On Linux, if you are running Samba, you could do the same from another server with FTP. There are, however, some fairly lean and mean FTP servers you could get for Linux... but still.. sometimes you just really want nothing else running.. and doing it manually isn't that bad, really, anyway; It makes sure you know exactly what goes out.
Another thing that can be a pain is getting FTP through the firewall; Since FTP takes two connections, and only the control connection is on TCP/21; Active FTP is pretty much out of the question any more with widespread use of NAT Routers and incoming-software firewalls like the Windows firewall, but Passive FTP just puts the burden back on the server to have a dynamic, open port coming back in. For our public FTP server, we have a mod to our iptables stuff on the firewall server that handles dynamically opening the required data connection back in, but it has to be configured specifically for the matching control port (it comes by default set up to work with TCP/21)... depending on where your game server is hosted, TCP/21 might not be available anyway; But anywho.. umm... I'm rambling. Imagine that! |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Author |
Message |
Marilla
Joined: 02 Feb 2006
Posts: 329
|
| Posted: Thu Dec 07, 2006 3:13 am Post subject: |
|
|
Something to consider for remote management - but ONLY when you have (as you do) a secure access (in my case, a VPN - in your case, you are behind the firewall anyway, so your admin traffic does not go outside of the firewall)... it's MUCH lighter on both client and server, is free, and is being actively developed;
TightVNC: http://www.tightvnc.com/
It's based on the old AT&T Labs VNC. There are other flavors of VNC available, as well, but I find TightVNC to be, well, the tightest
It's a really simple desktop; you set it up as a service on Windows (it will require WinNT/2K/XP/2K3 to do so), and set up a password for it. You then make sure the VNC service is running.
Then you can log in to it via the TightVNC client program. There's also a Java client that is automatically hosted by the server as well, to simply log in via any web browser by pointing to http://server-ip:5900/ I prefer to use the client, myself.
Note that VNC communications are NOT encrypted, so it's never safe to use to connect to a server where your connection travels an untrusted network; but when server and client are behind the same LAN (literally, or over a VPN), it's an excellent lightweight option to get full desktop access.
It does not provide file transfer capabilities, but again; it's made to be as bare-bones as possible, so that it's a small program. You can use File sharing to do the files. If you currently have file sharing disabled on that server, I actually think it would be much lighter load on the server to have File Sharing + VNC than to have PCA.
And finally, one more note: Often, you really don't need a full desktop, anyway. If your shard's running on a Server version of Windows, you can use the built-in Telnet service to provide a command shell. Depending on your network setup (same password/username on client machine, and the appropriate Windows login capabilities), you may or may not need to adjust the Telnet login settings via the Telnet Server applet (by default, it is configured only to accept integrated Windows logins, but it can also be set to allow you to type in your username/password at the standard prompt)
You would just then go to Start->Run and type telnet SERVER-IP-OR-NAME, and you'll be directed right to the command prompt of the server. From there, you can start/stop the POL service, run eCompile, and even edit text files if you get a terminal-capable text editor (the Dos 'EDIT' program that comes with Windows does NOT work properly over a Telnet session... you'll get the Edit program open, but you won't be able to use any of the menu commands!)
As with VNC, Telnet should ONLY be used over a trusted network, as it, too, sends all info unencrypted. But Telnet alone, if available, should be able to handle almost all of your server-side work for POL. The Telnet service also has a very tiny footprint memory/CPU wise.
Err... of course, if you are not running on a Server operating system, ignore everything I just said Win9X, Win2K Pro and WinXP do not have the Telnet service available. You would still use TightVNC and be 'lighter' than with PCA, though, provided you have at least Win2K. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Author |
Message |
Marilla
Joined: 02 Feb 2006
Posts: 329
|
| Posted: Thu Dec 07, 2006 9:08 pm Post subject: |
|
|
| Yukiko wrote: | | Never thought about the seperate accounts Maud. |
Isn't that what I was saying from the beginning? Give them each their own accounts, and assign appropriate permissions... 
If you have XP Home, it's a bit complex to do this - you need to be in safe mode or use the cacls command-line utility to assign permissions. XP Home hides the 'Security' tab on the properties window of files and folders unless you are in Safe Mode. Alternatively, I have a program I wrote that produces the 'Security' tab on Windows XP Home, even while not in safe mode. Unlike some other 'hacks' to get around that limitation of XP Home, my program actually produces the real XP Security tab (the one you would get if you were in Safe Mode), and not bolts on the Windows NT or 2K security tab on top of XP.
If you have XP Pro, no worries - the security tab will be there by default. But definitely be sure to set permissions - by default, XP gives some pretty wide-open file permissions, and many third-party Windows FTP servers have directory traversal bugs that allow someone to break out of the FTP root fairly easily. |
|
|
|
|
|
|
|
|
