Plugins list not available on Survival or Creative

[Tharine]

Had hoped this one would have been resolved already as i've mentioned it in passing to a number of people, but neither the /pl or /plugins command works on Survival or Creative, for players or staff. The command works fine on PvE, and apparently has done for the entirety of it's new revision. Not sure when this stopped working for the other two servers, but it hasn't been available for at least several weeks now.

[LadyCailin]

If I could figure out why, I was actually going to just disable it on PVE, unless there's a super compelling reason to have it, it's probably better to just hide that information entirely. Players don't really need that list, and it could present a security risk.

[tobylane]

Some of that plugin list is in the new revisions spreadsheet, so security through obscurity isn't an option.

[draykhar]

Don't see a necessity for hiding the plugins from someone in game, as they're already visible in other locations, or told openly when asked what all is used. I understand the typical "X plugin might have a bug". But we've got rules in place to ban for people taking advantage of that.

Is protectplugins set to true in NCP? I know little techside, but I pretty sure that's the easiest way to turn off the /plugin command.

[barneygale]

Do mods still get a notification when someone checks the plugin list? That should be protection enough imo.

[Tharine]

"Do mods still get a notification when someone checks the plugin list? That should be protection enough imo."

Asked a few players on PvE to run the command for me earlier, and the notification came up for every one of them when they did it, so we've definitely still got that set up. I see no reason to hide the plugins we use, it's of more benefit than detriment to the server by having them made known, and I can't think of any instance where i've needed to be secretive about any of the plugins we use.

[LadyCailin]

Ok, fair enough, you guys win. :p Regardless, I still need to figure out what is blocking it. Lol.

On Jun 6, 2013, at 9:03, Tharine notifications@github.com wrote:

"Do mods still get a notification when someone checks the plugin list? That should be protection enough imo."

Asked a few players on PvE to run the command for me earlier, and the notification came up for every one of them when they did it, so we've definitely still got that set up. I see no reason to hide the plugins we use, it's of more benefit than detriment to the server by having them made known, and I can't think of any instance where i've needed to be secretive about any of the plugins we use.

—
Reply to this email directly or view it on GitHub.

[FourDown]

It's a NoCheatPlus config thing:

config.yml -> miscellaneous -> protectplugins: <true/false>

[FourDown]

Also is a bukkit permission:

bukkit.command.plugins

[barneygale]

any progress? iirc editing configs is @jcll's department.

[nopresnik]

I notice /pl is falsified :) /pl shows the fake while /plugins shows the real.

[jcll]

It is a feature of NCP to help stop some hacked clients from going into a lesser more harder to detect mode.

[draykhar]

I'd like to reiterate my disagreeance with that response, jcll.

I still don't see a necessity for hiding the plugins in game when they're already visible in other locations or told openly when asked what we use.

The most effective way to stop a hacked client is observation, NCP is a decent way to get statistics/ warnings to back up otherwise circumstantial evidence. If allowing for the plugins list to be more easily visible means hacked clients are harder to detect, then so be it. We'll deal with them as we always do: through observation. On a personal level, I'm not comfortable with jcll having such an executive veto over something that all three survival admins have signed off on.

You lock out a much larger crowd, that is to say everyone playing legitimately on the servers from quickly accessing useful information. I want for this list not to be falsified. I'd prefer the command be usable by everyone. An appropriate middle-ground would be the actual list of plugins, and a notification when someone checks the plugin list.

Reopen this thread, or actually fix the issue please.

[Tharine]

Just signing off a public +1 that what draykhar has stated is a notion shared, and not just his own words. In addition, I too, would like to see us remove the falsified plugins list.

[nopresnik]

+1 as per Tharine

[cmchappell]

I would also like to see the check plugins command set to accurately display plugins.

[Deaygo]

@Tharine
For quite a while we were running a script with a shortened plugin list (no NCP, etc) but admins and mods could still see the full this. This would prevent hacked clients from logging in, running automatically to see what plugins the server was running and turning off features that they know trigger on the plugin. There are several solutions to this, one of which is to go back to that method of /pl and /plugins, another is to prevent the immediate running of /pl and /plugins as soon as someone logs on.

[JohnAdams1735]

@Tharine "Had hoped this one would have been resolved already as i've mentioned it in passing to a number of people." Never mentioned it to me or any other head as far as I know. While it's maybe not our jurisdiction with tech stuff, I'm pretty good a poking the techs about stuff.

1. Would you like the /pl and /plugins to be available to all players, or just Admins or just staff? If the information, as it has been said, is available elsewhere, then why should we change something that's been in place for a long time just to make it easier for hackers (albiet as well as legit players) to see the plugin list? To make it easier for a hacked client to auto-check the list and auto-correct for those plugins or "tune them down" so they don't trigger things such as NCP (as I've been told they can do, though I'll admit I'm not familiar with what all hacks/hackers are capable of). It just seems, from the info I have and to the best of my current knowledge, changing this would make it easier for hackers and changes nothing but the ease in which legitimate players can query what plugins we use. Little is gained while a lot is potentially lost.
2. As this is not a bug - as jcll pointed out and closed this request for a reason that I, as a head admin, approved - but a policy discussion, it is perhaps better moved to another medium, as github is usually (if I understand things correctly) strictly for bug reports :)

[barneygale]

why should we change something that's been in place for a long time just to make it easier for hackers (albiet as well as legit players) to see the plugin list?

You just answered your own question.

To make it easier for a hacked client to auto-check the list and auto-correct for those plugins or "tune them down" so they don't trigger things such as NCP (as I've been told they can do, though I'll admit I'm not familiar with what all hacks/hackers are capable of)

Nodus hasn't been updated for 1.5.2. You could ask @c45y if there are similar clients still around that do this

On a more constructive note, this is solvable in myriad ways. As @Deaygo points out, a check could be made on whether /plugins is checked immediately on join/respawn (as with hacked clients) or at other times (legit usage). Another simple solution is just to alias /plugins to say "Please check /pl for a plugin list". This defeats hacked clients with a minimum of coding effort.

[Deaygo]

I have edited @barneygale 's comment, as there was a bunch of crud in it that presents no gain to this ticket what so ever

[gsand]

Couldn't you guys simply alias it again, like in the good old days?
@Tharine and @draykhar +1

[stevommmm]

A lot of clients moved away from using the plugin list command, as nearly all servers triggered an alert of blocked it. Should be fine to enable again.

[nopresnik]

With what @barneygale said about having /plugins say "check /pl for plugins," I'm sure that hacked clients can also run /pl. So why not set both commands to say "check /pluginlist(or something similar) for a list of plugins." Then /pluginlist can point to the non spoofed original list.

[barneygale]

Is /pl usually a command for getting plugins? Basically you need to set it to something that won't be hard-coded into a hacked client. If /pl is part of this, then yeah set it to /pluginlist or /listofplugins or whatever is sufficiently non-standard.

[nopresnik]

Yes, I only just found that out not long ago myself.

[ghost]

Worked on a little something for this earlier today. Hopefully this is a happy medium between jcll and everyone else.

https://github.com/ElliotSpeck/Tarpit

Edit: I feel it necessary to tag @Tharine and @draykhar here, so they're aware that a working fix is now available for use.

[FourDown]

This is being blown way out of proportion. There are tonnes of ways to list the plugins, some of them aren't even related to the command /plugins. It seems like everyone is cool with it being enabled, so, why not just do it...?

@ElliotSpeck : Got a 404 error.

[ghost]

@FourDown: Fixed. I accidentally clicked 'private' when making the repository.

[gsand]

@FourDown is right, this has been blown out of proportion.

A simple solution would be to re-alias it again or to simply return a forum link.

[LadyCailin]

This is now fixed. (Or at least will be once each server restarts, I'm not gonna bother to restart them all.)