New server function getServerEnvironmentValue #1937
Conversation
|
I like the idea of this PR. Environment variables are a nice way to pass parameters to processes in an easy to automate way, and without requiring command line parameters. I don't know why someone downvoted this, as you can pass a hash of sensitive data, like you would do in a database, and already use modules to retrieve this information. Anyway, I'd use the new argument parser for this function. I'd also make sure that it is restricted in the ACL by default, so that no random resource can get environment variables unless the admin explicitly allows it, for privacy concerns. Finally, I'd rename the function to |
|
I'd rename it to |
| @@ -111,6 +111,7 @@ class CLuaFunctionDefs | |||
| LUA_DECLARE(SetServerPassword); | |||
| LUA_DECLARE(GetServerConfigSetting); | |||
| LUA_DECLARE(SetServerConfigSetting); | |||
| LUA_DECLARE(GetServerEnvironmentValue); | |||
There was a problem hiding this comment.
static std::string_view CLuaFunctionDefs::GetServerEnvironmentValue(std::string name) ;| @@ -233,6 +233,7 @@ void CLuaManager::LoadCFunctions() | |||
| {"getServerPassword", CLuaFunctionDefs::GetServerPassword}, | |||
| {"setServerPassword", CLuaFunctionDefs::SetServerPassword}, | |||
| {"getServerConfigSetting", CLuaFunctionDefs::GetServerConfigSetting}, | |||
| {"getServerEnvironmentValue", CLuaFunctionDefs::GetServerEnvironmentValue}, | |||
There was a problem hiding this comment.
{"getServerEnvironmentValue", ArgumentParser<GetServerEnvironmentValue>}Also, for this to work, you need to move it to CLuaUtilDefs.
The new parser doesn't work in CLuaManager.
| int CLuaFunctionDefs::GetServerEnvironmentValue(lua_State* luaVM) | ||
| { | ||
| SString strName; | ||
|
|
||
| CScriptArgReader argStream(luaVM); | ||
| argStream.ReadString(strName); | ||
|
|
||
| if (!argStream.HasErrors()) | ||
| { | ||
| lua_pushstring(luaVM, getenv(strName)); | ||
| return 1; | ||
| } | ||
| else | ||
| m_pScriptDebugging->LogCustom(luaVM, argStream.GetFullErrorMessage()); | ||
|
|
||
| lua_pushboolean(luaVM, false); | ||
| return 1; | ||
| } | ||
|
|
There was a problem hiding this comment.
std::string_view CLuaFunctionDefs::GetServerEnvironmentValue(std::string name)
{
return getenv(name.c_str());
|One thing im not sure about: What if getenv returns null? Does Lua handle it correctly?
|
Also, there is a native Lua function called |
|
What is difference between this nad In other way there is also |
|
What are the security concerns regarding getenv and the scope of variables one could have access to? |
It is only server side feature and I don't see the problems with accessing to the scope in this feature. If we think about unnecessary security of serverside we risky to lost all connections with OS as it was in: #1782 I can find thousand programs which work with ENV and it's okay. |
|
I believe we could try implementing the ACL system from the Lua modules branch and then allow getenv through the native Lua os function as suggested by @Pirulax |
Those functions solve a different problem: allowing the server administrator to set up configuration values for the resources. Environment variables are not meant to store resource configuration; instead, they represent more generic data about the OS environment that may be useful to processes as a whole. Of course storing the environment variables in files via external programs and reading them back in the MTA: SA Lua VM is a workaround, but that implies writes to a physical block device, which contributes to reducing the lifespan of SSDs (unless they are done in a RAM filesystem, but using such filesystems in Windows is awkward). And, honestly, this function is simple enough to be merged quickly and successfully, so it's not like that workaround is even needed.
Good catch! I was concerned about how we can ACL native Lua functions, though, but @patrikjuvonen proposed a solution for that, so it's perfect.
As @sbx320 said in the discussion you linked to, backdoored and compiled server side resources are a concern. Allowing these functions by default might expose the server to be fingerprinted in undesirable ways that may not be easily noticed by the server owner, and, if the server owner improperly uses environment variables to store secrets like deployment keys, it may even hand down a potential attacker with enough information to compromise the system. Denying this function by default is a way of making the server owner aware of this, and if some random compiled DirectX GUI resource insists in needing access to functions like |
I have no complaints of some alerts or ACL lists. It is good, really. But I hate when superfluous security on the server restrict me. I think |
|
in general I think unsafe Lua functions should be enabled/disabeled via meta.xml for server side |
|
Enable |
Well, that's unless you're running an immutable Docker image and want to use different configurations for each instance, without any need to pass volumes or store any local data (totally stateless MTA server instance). This is totally normal for containers to have ENVs as configurations. But yeah ACL would be required for other usecases, e.g. if you use third-party resources which you may not have sources of, or if ENVs have some sensitive data required only for a selected resource (read: passwords) |
|
@pentaflops Are you willing to work on the os.getenv + ACL implementation or should this PR be closed and a new issue be created? |
|
This draft pull request is stale because it has been open for at least 90 days with no activity. Please continue on your draft pull request or it will be closed in 30 days automatically. |
|
This draft pull request was closed because it has been marked stale for 30 days with no activity. |
A useful function for storing passwords and other settings if using docker images