[DGD] Big brother

Josh Dady jpd at indecisive.com
Fri Oct 5 16:54:36 CEST 2007 

I think my thoughts on security are that complex systems tend to be  
harder to secure (and therefore easier to break) than simple ones.   
Keeping the logs external to the MUD and using a standard logrotate- 
type tool to expire them seems like it would work, but you'll have to  
deal with a few interesting issues there:

   - I wouldn't want to assume that the watchdog that keeps the process
     on the other end of the named pipe works.  What happens if there's
     no one reading from the fifo when you write to it?  Does DGD wedge?
     (I've never tested this)  If it doesn't, what do you do then?

   - How is the data ultimately stored?  One way or another, you'd have
     to separate it by user and possibly log-level (i.e., the full text
     on the user's connection would be a higher level than just their
     commands, and would theoretically be harder to justify getting
     access to) -- that means you need some sort of protocol (or N+1
     fifos, where N is the number of log streams that exist).

   - Physical security.  Sure, breaking into the host account is
     often a lot harder than breaking the in-game security controls,
     but it happens.  The more data you store, the more is available
     to steal when someone gets in (or your trust in someone is proven
     wrong by their actions).

Determining whether I made things more complex or less complex when I  
added an additional password hash in the user's data file so that a  
modified mod_auth_digest can verify creator passwords is left as an  
exercise for the reader. ;)  (It's also used as a flag -- if someone  
doesn't have the second password hash, which is the default state,  
they haven't enabled access to that feature for their account.)

--
Joshua P. Dady

More information about the DGD mailing list