Creates a transparent sandboxed Lua environment for Minetest, restricting other mods' access to the OS, filesystem, and debug capabilities.
In order to use this mod, it must load before all other mods, including those in the Minetest game being loaded. To ensure this, make sure every mod has the
depends.txt file in its base directory and that one of the lines in the file reads "
security?". If this isn't done, not only will it break the security guarantees, but mods that load before this one may not be able to correctly access global variables.
This mod has no dependencies and provides no external API.
Comments and criticisms are welcome and encouraged. In fact, community support is essential for improving security. Try this with other mods and see if anything crashes. Report incompatibilities. Review the code, try to find holes and break the rules, and please report when you succeed.
This mod creates a virtual filesystem for all mod code. This filesystem looks like:
/ |- tmp/ |- world/ |- mods/ |- mod1/ |- mod2/ |- mod3/ . .
This filesystem is handled correctly by
minetest.place_schematic(), so as long as mods base their file access on those paths, the filesystem change should be transparent to them.
The directory for the security mod is specifically NOT a part of this virtual filesystem. All other mod directories for enable mods are.
The special "/tmp/" directory only holds files with names reserved by
os.tmpname(). These reserved names are only tracked while the server is running, so they cannot be referenced in future incarnations, even if the are not removed explicitly. This MIGHT break some existing mods, but those mods probably should be relying on persistence of temporary files anyway, as they might be kept in locations that are not persisted by the operating system.
Escape characters are assumed to be backslash ('\') and percent ('%'). Backslashes are converted to forward slashes ('/') which will work portably on all operating systems due to Lua's standard library. Percent characters result in invalid paths which cause all I/O functions to fail.
Attempts to access files outside the "/tmp", "/world", or "/mods/*" directories will fail. Attempts to access files in the "/tmp" directory not reserved by
os.tmpname() will fail. Relative paths (starting with anything other than "/" or "\") are resolved relative to "/world/".
Some other functionality normally available in Lua has been removed entirely or limited in specific ways:
- The standard Lua
debugAPI has been removed.
- The ability to execute outside programs (
os.execute()) or load outside shared libraries (
package.loadlib()) has been removed.
- Retrieving metatables (
getmetatable()) and function environments (
getfenv()) return only the sandboxed environment table and any metatables and environments that have been explicitly set by the corresponding set functions (
- Lua modules using
require(), and the
packageAPI will work normally and custom loading will work from virtual filesystem locations. There is also a special search function in package.loaders that will opaquely load modules using the standard mechanism, but the built-in loaders and module paths are hidden from the sandboxed environment (package.cpath and package.path are initialized to an empty string, and changing either will have no effect, though custom mod loaders are free to use them).
- Obviously the cumbersome part of using the mod is having to ensure it loads first by adding it as a dependency to all other mods (even game mods). Unfortunately fixing this probably requires moving this functionality from a mod to the builtin Lua code, or providing some kind of engine support for specifying an initial list of modules that must be loaded first regardless of dependencies.
- Globals added by builtin code in future versions of Minetest will have to be whitelisted. Functions that require file names/paths will have to be wrapped.
Required Minetest Version: 0.4.12 (likely to work in other versions, but not tested)
Reverse Dependencies: (all installed mods)
Copyright and Licensing
All contents, including documentation and source code, are original content created by the mod author and are licensed under WTFPL.
Author: prestidigitator (as registered on forum.minetest.net) License: WTFPL
- Released 2015-04-11
- First working version, tested against luacmd, Minetest Game, moretrees, and the plantslife modpack.
- Whitelisted some extra LuaJIT and Minetest utility functions.
- Fixed io.flush typo.
Version 1.1 Download: https://github.com/prestidigitator/minetest-mod-security/archive/v1.1.zip
Version 1.0 Download: https://github.com/prestidigitator/minetest-mod-security/archive/v1.0.zip
Git Repository: https://github.com/prestidigitator/minetest-mod-security
Forum Thread: https://forum.minetest.net/viewtopic.php?t=11829