Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSM: Allowing a server to protect itself against clients running client-provided clientmods #5915

Closed
paramat opened this issue Jun 5, 2017 · 160 comments

Comments

Projects
None yet
@paramat
Copy link
Member

commented Jun 5, 2017

I just wanted to check if this already done, or planned, or possible. If not possible i am seriously concerned.

Client-provided clientmods that cannot be prevented by a server creates a huge potential for irritating low-level troublemakers and cheaters on a server, and makes trouble much easier to cause. There are already clientmods being distributed on the forum and servers can do nothing to protect themselves.

Before now you would have to hack a client, now it's as easy as installing a mod. Server admin are already driven crazy by irritating client behaviour and now it will get much worse.

I am not asking for removing the ability to use client-provided clientmods, just a way for a server to prevent any connected clients from doing so, or not allowing clients using client-provided client mods from connecting.

Arguing that 'it is already possible with a hacked client' is no argument, it should not be made easier, and not supported and encouraged by the distribution of clientmods that servers cannot protect themselves against.

I seem to remember someone, maybe sofar, discussing this and getting the assurance that such an ability as i request would be added. Has it been? WIll it be? Why has it not been? @sofar was this you and what is your opinion?

/////////////

Here's a specific example of how this will ruin a survival server ..

The oredetect clientmod already in use effectively makes the world transparent around a player to a certain distance, any node can be detected and its co-ordinates displayed.
The server cannot prevent this or even know which clients are using it.
Some say the range is limited, however the valuable ores from gold to diamond are only separated by 13-17 nodes, so a detection radius half of this is enough to detect almost all valuable ores around a player.

Players with high standards who don't want to cheat in survival will not use the mod, but then will suspect other players are using it and are gaining an advantage, this makes them feel frustrated.
Players with moderate standards will see the advantage other players have and will be tempted to use the mod, the more players that use it the more pressure there is for the rest to use it.
Players with low standards will use the mod to cheat, and therefore gain an advantage over other players and are rewarded for their low standards.

The whole concept of MT is that 'you can't effectively see through solid objects', but now an unknown set of players can do this, and the server cannot choose, police or detect this in any way. This creates an atmosphere of anarchy, cheating, frustration, suspicion and mistrust, with the worst players having an advantage and being rewarded, having fun, while the server is ruined for everyone else.

I have read the arguments that CSM is harmless because it can only read map and not write to it, however i have explained above how this alone can ruin a survival server.

///////////////

For some servers unregulated client-provided clientmods is not an issue so let them, but at least allow servers to decide and protect themselves. MT has always been about the server providing and controlling anything of significance, and servers have always been able to protect themselves and police what happens.

If it is not possible to add the abililty i request then the only thing to do is to not allow client-provided clientmods at all, as i understand it CSM was originally intended to be server-provided mods only, for very good reason.
CSM will then still bring many benefits and server admin will add the reasonable clientmods that players want, but at least it is in a controlled way, it is known what is provided to all players and no-one can gain a secret advantage over anyone else.

@celeron55 please could you consider this issue?

@paramat paramat changed the title CSM: Allowing a server to prevent clients running client-provided clientmods CSM: Allowing a server to protect itself against clients running client-provided clientmods Jun 5, 2017

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

My ideal solution would be the removal completely of the loading of client-provided client mods, and only allow server-provided client mods.

Otherwise I would support making API functions less useful for cheating. For example, node searches only returning nodes that are in the player's line of sight.

@nerzhul

This comment has been minimized.

Copy link
Member

commented Jun 5, 2017

@raymoo sorry but removal completely the client side loading is not a solution, better solution would be to control API, we can add rate limit on some calls, or when server sent mods are loaded forbid (if possible) some calls from pure client mods and allow them from sent mods ?

@nerzhul

This comment has been minimized.

Copy link
Member

commented Jun 5, 2017

another solution would be to make server sending a blacklist of functions which cannot be used on the server or a function group strategy (for example: disallowing map getters, disallowing client formspecs...), this means client installed mods should verify if they are allowed to use some features

@paramat

This comment has been minimized.

Copy link
Member Author

commented Jun 5, 2017

removal completely the client side loading is not a solution

Actually, it is a complete solution, what you mean is you don't like the idea.
However i'm not necessarily asking for this.

we can add rate limit on some calls

That's useless, less rapid cheating is still cheating.

Your other suggestions seem potentially good. Many clientside abilities can be considered harmless and can remain unregulated.

The discussions about CSM i have read suggested that there would be the ability as i request here, and i remember someone, possibly @sofar, concerned about this being assured there would be, so what happened? Why isn't this already done or planned?
The original intention was server-sent clientmods only, so how did this get reversed?

Until now i have stayed out of CSM discussion, i prefer to keep out of as much as possible to lessen my workload, and i trusted you would do the right thing, but now i see this huge issue and i am very concerned, more than any issue i can remember, and server admin and moderators should be too.

@ghost

This comment has been minimized.

Copy link

commented Jun 5, 2017

I love how devs start tyo think about CSM like playsers and server owners do 😄

I hope all of this will lead to more secure and reliable server/client interaction in the future.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

ahh good old security by obscurity

@MisterXtreme

This comment has been minimized.

Copy link

commented Jun 5, 2017

I think Nerzul meant that basically instead of filtering out all, or select mods on requests (not hard to rename a mod), you would be able to have a server side setting, that would allow you to disable the functions that would allow something like oredetect to work, correct me if I'm wrong.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@red-001 We're not hiding anything, players can look at the source code if they want. Putting limits just increases the barrier to cheating. CSM provides an environment where you don't need to recompile every time you add a new cheat, which makes it easy for random people to take cheat mods distributed by other people and use them. Nobody has ever tried to distribute modular cheats before CSM, though some people have distributed clients with certain cheats compiled in.

This is why I favor just removing client-loading of client mods. People who want to revive client-loaded CSM for cheating would have to either recode CSM or port it from an earlier version, requiring more work than just removing a few lines that restrict the CSM API. Somebody other than official Minetest will have to standardize and maintain the client-provided CSM interface. With "CSM with limits", you can just remove the checks and have a fully-featured CSM system ready for cheating.

I'm glad you had fun dropping a buzzword, though.

@MisterXtreme

This comment has been minimized.

Copy link

commented Jun 5, 2017

CSM can be used for cheating, and does lower the barrier a lot, but there are many advantages too it as well, such as.

  • Ambient music that won't bring the server to It's knees

  • Mods that allow you to see things such as block name/desc, status, etc

  • More full featured minimap, without bugging the server

  • Many, many other things.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

These could be provided by the server, and it might be better that way since the last two of those could be considered cheats by some servers (reveals information that would be hard to get without the client mods). I never said I was against CSM, just client-provided client mods.

The reason I prefer removing the capability to load local mods at all is because otherwise it's too easy to remove the anti-CSM checks from the code. I do recognize that it limits what functionality can be provided by client-loaded client mods, but for me the main value of CSM has always been that the server can provide code to run on the client.

I have seen people suggest that client-loaded CSM is important for UI customization, but what realistic use cases are there that actually require Lua scripting, as opposed to some static format?

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

horrifying now players can see the location of blocks that they are not suppose to, it's not as if a few lines of c++ code could achieve the same thing.

@nerzhul

This comment has been minimized.

Copy link
Member

commented Jun 5, 2017

@paramat i think i will remove some mapgen parts as they are not optimal, it's exactly what you propose here: not a solution, just easy solution, i think i can also remove all network code as you can spoof another player peer_id easily and bug himself server side.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@red-001 I don't know why you're acting like everybody ignored the fact that clients can be modified without CSM. CSM just makes it easier, and makes it so that you do not have to recompile for every cheat you want to use. It especially makes it easy to pick and choose cheats provided by other people. I already said all of this though, so maybe you are ignoring the fact that people have already tried to address the criticism that players could modify their client anyway.

Or maybe you didn't ignore it and thought that a clever-looking remark would be a more effective way to argue?

EDIT: @paramat also addressed client modification in the OP, so don't pretend like everyone arguing for limits was completely ignorant that people can recompile code.

@paramat

This comment has been minimized.

Copy link
Member Author

commented Jun 5, 2017

XtremeHacker no-one is doubting the usefullness of CSM.

horrifying now players can see the location of blocks that they are not suppose to, it's not as if a few lines of c++ code could achieve the same thing

This ridiculous argument is being used in a few places, i know a hacked server can do the same, the issue is officially supporting cheating and making it as easy as possible.
Just because a few people can hack a client does not mean we can give up on tryiing to avoid bad behaviour on servers.

How many players know how to hack a client? very very few, and hacked clients would not be allowed on the forum, but now you are officially supporting and encouraging secretive cheating and the mods are being distributed in the forum, and we can do nothing about it because on some servers such an ability may be acceptable.

Remember i am not attacking CSM or even the ability to have client-provided clientmods, just a way for servers to protect themselves if they wish, and they will want to once client behaviour becomes much worse due to these clientmods.

i think i will remove some mapgen parts as they are not optimal, it's exactly what you propose here

No, please don't misrepresent me, above i write that your suggestions have potential, because they would identify the problematic abilities without restricting the harmless ones. And please don't use ridiculous analogies, deal with everything issue by issue.

Come on guys i know you are intelligent and above stupid arguments like this, there's no need to be so defensive.

@VanessaE

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

By all means, yes, a server should be able to protect itself in every way possible from malicious CSM mods. Or as I put it on IRC, "in a word? absofuckinglutely."

@paramat

This comment has been minimized.

Copy link
Member Author

commented Jun 5, 2017

Support from Ezhh, tenplus1, ExeterDad and VanessaE, all respected server owners (sorry if others are also server owners and i am unaware).

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@raymoo no just removing restrictions on CSM mods would be just as hard/easy as making a far faster/better cheat using C++. I don't have anything against allowing servers to restrict certain functions from being used by CSM mods, e.g. find_nodes_in_area

@VanessaE

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

Meanwhile, regarding the notion of disabling the client-loading of CSM mods... @nerzhul hinted at the idea, maybe what's needed is to make the client-side API super strict, but only for mods that were loaded directly by the client.

Any mod that's sent by the server should have access to the full CSM API, whatever it might be when that day comes.

@VanessaE

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

There's a secondary problem with that idea, though: clients made from dev builds up to and including the latest release would naturally not obey, so those clients need to somehow be kicked off.

This would probably be best done by making some minor network protocol change right before such restrictions go into effect, bumping the network version accordingly, and making strict protocol checking default to 'enabled' on the server.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@red-001 I am talking about the difficulty from the typical end-user of a cheat, who might not have the skill or motivation to write their own cheat. Everything below assumes that the player is not going to write their own cheat code.

With (unlimited) CSM:

  • They have to download the cheat mod(s) and put it in their clientmods directory

With limited client-provided CSM:

  • They have to remove a couple lines and recompile the client, or else get such a recompiled client from somebody else.
  • They have to download the cheat mod(s) and put it in their clientmods directory

With no client-provided CSM:

  • They are forced to download somebody else's sketchy cheat client (I doubt this will stop cheaters though)
  • They need to somehow combine (git merge, copy paste, etc.) the codebases of multiple cheat clients if they want the features of all of them
  • They need to recompile every time they add / remove a cheat.

There is also a fourth possibility I touched on before, that someone could make a cheat platform that recreates what CSM does right now. This would make it as simple as it is now, except that they have to download an unofficial client. The developer of the client would need to either port current CSM to the newer version that doesn't have client-provided clientmods (more likely), or else code their own CSM (less likely). I feel that such a fork would be less well-maintained, but maybe it would gain traction. But removing client-provided CSM would make it harder to develop such a client, just as it makes it harder to use other people's cheats without CSM.

EDIT: Also thank you for addressing my argument instead of ignoring it.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

Sort of unrelated to what I have been arguing, but for ore detection specifically, I believe it would be possible to make a fairly good server-sided way of hiding ores right now with mods, and server-sided ore hiding would be the best solution if it could be done efficiently in core since it would prevent even modified clients from finding ores, except for ones that the server deems "visible" to the player.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

You are over estimating how hard it is to get x-ray, ~3-6 lines of c++ code would be enough to get x-ray, you could just modify the node definitions the server sends, no advance graphics related work or anything just basic data manipulation someone could easily make a patch/diff for that and distribute it.

@sfan5

This comment has been minimized.

Copy link
Member

commented Jun 5, 2017

You don't seem to get it.

No matter how few lines this is in C++, recompiling (even modifying) the Minetest code is a high enough hurdle for the average player to justify this. Making use of game-breaking cheats as easy as installing mods is not a good idea and will result in more widespread cheating.

@VanessaE

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@red-001, for a coder, sure that's trivial, but for an average user, they wouldn't know how to even open the code in a text editor, let alone modify or compile it. Installing a mod, however, is pretty basic stuff that most users could figure out in just a few minutes.

@raymoo

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@red-001
What CSM gives is the ability to easily use different cheats together, not using one particular cheat.

@sfan5 @VanessaE
For that class of user, simply limiting CSM is enough because that also requires recompilation to get around. But removing client loading of clientmods also makes it harder for the class of users that can mechanically enter commands into the terminal.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2017

@sfan5 @VanessaE I'm arguing for limiting non-server supplied CSM mods, instead of removing client supplied mods.

@minetest minetest deleted a comment from JustinLaw64 Jul 2, 2017

@nerzhul

This comment has been minimized.

Copy link
Member

commented Jul 2, 2017

@rubenwardy it's hash of the content or filename if i remember
@dsohler i don't know about proprietary blobs but it's not CSM philosophy and how i designed it. The dev page is quite old and we never looked at this page to make this happen. CSM run on a separate luastack from mainmenu but not thread, there is not sense to decouple it from client thread atm

@Wuzzy2

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2017

I am very skeptical of allowing Minetest to run arbitrary code from potentially untrusted 3rd party sources. You can play in sandboxes all you like, only one serious bug in the sandbox is enough and you have a nice 0day. :-)
I think the “opt out of proprietary code” idea is just a lame excuse. For me, “opt out” means its proprietary by default. Ummmm … nope!
Second, it sends the completely wrong message. We are indirectly supporting people who want to distribute their proprietary blobs by making their stuff dangerously convenient to access via the server list. Why do these kind of people deserve any support from us?
Third, this completely destroys the current model of trust:
Currently, you can be relatively certain that running Minetest and playing on any server that you run without security risks or some random 3rd party blobs. But with this change it will no longer be true. Any server could be a potential “trap”
Because the JavaScript analogy came up quite often: Well, I think the Web sucks, we should not draw inspiration from it. :D Also: https://www.gnu.org/philosophy/javascript-trap.html

You can write warnings, send LICENSE files, create sandboxes and make “opt out” checkboxes all you like, at the end of the day, proprietary blobs will start spreading. I don't like this.

Ultimately, this begs the question why you want to explicitly allow for proprietary code in the first place. What's the benefit of that? Doesn't this very idea go against everything what Minetest stands for?

@rubenwardy

This comment has been minimized.

Copy link
Member

commented Jul 2, 2017

I think the “opt out of proprietary code” idea is just a lame excuse. For me, “opt out” means its proprietary by default. Ummmm … nope!

Bad phrasing on my behalf, I meant opt in. It definitely should not be default. And it isn't a lame excuse at all.

@Wuzzy2

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2017

So … you are OK with servers distributing proprietary code to clients?
Why?

Why do you want to support people who develop proprietary software?

@rubenwardy

This comment has been minimized.

Copy link
Member

commented Jul 2, 2017

Minetest doesn't disallow proprietary mods. The majority of our users use Minetest with proprietary code, and they don't care. The reason that celeron55 choose a LGPL license over a GPL one was to be slightly friendlier to proprietary software, ie: getting companies involved is good for development (although we haven't seen this, and as a game I doubt we will)

Let's not impose our morals on others when it's personal choice

So … you are OK with servers distributing proprietary code to clients?

Yes, as long as the user is notified

Why do you want to support people who develop proprietary software?

I develop proprietary software for a living

@JustinLaw64

This comment has been minimized.

Copy link

commented Jul 3, 2017

Minetest people have been able to use proprietary textures for a while; As in the case of TestBDcraft. The License link seems to be broken, but the FAQ says the pack can't be mirrored.

With Minetest being LGPL. I'd think it's okay for one to make a proprietary sub-game as long as he uses other mods that are permissive and make their own mods.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

why are we talking about proprietary blobs when it has already been well established that CSM doesn't and wouldn't allow bytecode to be executed as it is impossible to efficiently sandbox.

@JustinLaw64

This comment has been minimized.

Copy link

commented Jul 3, 2017

I think "whether or not Minetest should allow proprietary CSM mods" should be moved into another thread. As this thread is about "whether or not a Minetest client should be programmed to disallow user-provided CSM mods if the server so requests."

@ghost

This comment has been minimized.

Copy link

commented Jul 3, 2017

Minetest people have been able to use proprietary textures for a while

Because proprietary bitmap graphics are the same thing as arbitrary binary code being executed without the user being able to analyze what the code does before the client executes it.

@ExeterDad

This comment has been minimized.

Copy link

commented Jul 3, 2017

So if my server sends out a ambiance mod to be run locally and efficiently that is unique to our gameplay, it would be considered proprietary and frowned upon?
If all files are in plain text and our server can be proven to be malicious, then we deserved to be blacklisted and shunned for being so openly stupid.
I thought the whole purpose (at least it's what the brochure said) was to offload select tasks to the client to increase performance and make gameplay a more enjoyable experience?

@JustinLaw64

This comment has been minimized.

Copy link

commented Jul 3, 2017

Yes I do think server owners can send implicitly restricted copyrighted textures to clients as long as they made them on their own.

Because proprietary bitmap graphics are the same thing as arbitrary binary code being executed without the user being able to analyze what the code does before the client executes it.

They're photos, PNGs of all things. Does it make a difference if it came from your computer, or from an infected server?

@mark-otaris

This comment has been minimized.

Copy link

commented Jul 3, 2017

If Minetest servers can tell clients not to run user-provided mods, the users cannot replace the mods by modified versions. This has the same effects as tivoization; the user has to modify the client to run a modified version of the mods. Users are likely to want to customize or add functionality to the inventories and other interfaces implemented by client-side mods, so they are likely to actually want to do this. They shouldn't have to modify and recompile their client to do so.

The client should obey the user even when the user is trying to cheat or do things (other examples are blocking ads and torrenting copyrighted content) that the server administrator doesn't want. This doesn't mean that there aren't other (better) ways to prevent cheating because, conversely, the server should obey the server administrator and not trust commands sent by clients. The commands are already verified in serverpackethandler.cpp to make sure players aren't placing or digging nodes from too far away, moving faster than is supposed to be possible, interacting while dead, and so on.

This issue thread is about making the clients obey the server administrator's wishes in order to make cheating less convenient. Security through inconvenience works, to some limited extent. That modified clients exist isn't a valid argument for not making cheating inconvenient, but it is an example of the fact that the extent to which security through inconvenience works is limited. The actually-sound argument for not making cheating inconvenient is that it has disadvantages that outweigh the advantages: making it inconvenient to cheat in this case requires also making it inconvenient (requiring a fork and recompiling of the client) for the user to modify server-provided mods, which is exercising one of the four freedoms, or provide other mods. It is not necessary or useful to make clients obey the server administrator's wishes about client-side mods if countermeasures to protect the server are implemented on the server, under the control of the server administrator, rather than being implemented on the client.

@red-001 The mods are proprietary if they do not have a license that allows users to redistribute them, even if the source code is sent to the client.

@kilbith

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

[blah blah blah] We are indirectly supporting people who want to distribute their proprietary blobs by making their stuff dangerously convenient to access via the server list. [blah blah blah]

It is quite revealing to see the word "dangerous" associated so fast with the word "proprietary" in the same sentence... For me you are a typical highly-opinionated FLOSS nuts who favorize the ideology above the pragmatism. Proprietary softwares run pacemakers and robots in space, did you know?

Also, like rubenwardy, I do code proprietary softwares for a living. And I much prefer a competitive proprietary software than a sucky free software.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

@dsohler why the **** are you talking about binary code?

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

This issue has gotten massively offtopic, I suggest opening a new issue about your "binary blobs" whatever you mean by that.

@Wuzzy2

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

To clarify: It started when rubenwardy suggested it's okay to let servers directly distribute proprietary code:

The users should get a warning if the server requests that they use proprietary mods, and have to opt-in to using them.

This is my last comment about this in this issue. Discussion should continue in a different issue, I agree.

@paramat

This comment has been minimized.

Copy link
Member Author

commented Jul 3, 2017

Yeah that dev page is old and is not the plan for current CSM, and many MT devs have a strong FOSS attitude, so don't worry too much about proprietary stuff mentioned there.
My point was actually that CSM is not following that plan, in terms of client- versus server-provided mods.

I'm a little concerned that page was not looked at when designing current CSM, and it's clear that celeron55 and other devs who were considering working on CSM intended the server to have as much control as possible. So i'm concerned about how CSM has deviated from what was intended and has therefore caused the issues this thread is about. I feel there needs to be some change of direction to something closer to what celeron55 and others intended.

See #5930 for the proposed restrictions, consideration and input is appreciated.

@VanessaE

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

Why are you guys even mentioning binary blobs? Minetest can't run them anyway if you have mod security turned on, or if you use LuaJIT, so that's like 99% of all Minetest installs by now.

As for proprietary code (whether source-available or not), come ON, just DEAL with it already! No one outside of the geek community cares if a program has a proprietary license, they just care if the program works properly.

@elinor-s

This comment has been minimized.

Copy link

commented Jul 3, 2017

I care. People outside of the geek community don't because they don't know about these issues, not because they have thoughtfully considered them and determined that software freedom isn't important. The users who do know about software freedom and are fine with running proprietary software anyway can toggle an opt-in setting, I'm sure.

@red-001

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

you are welcome to not play on servers that don't follow your ideology. And can we please stop taking this issue offtopic?

@nerzhul

This comment has been minimized.

Copy link
Member

commented Jul 3, 2017

license is not a CSM issue we don't care, we want to limit client API from server it's far from licensing issue

@paramat

This comment has been minimized.

Copy link
Member Author

commented Aug 28, 2017

#5930 merged.

@paramat paramat closed this Aug 28, 2017

@nerzhul nerzhul removed this from Feature requests in Minetest 5.0.0 blockers Jan 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.