You are here: start / opensim / server_patches / xengine_scripts_whitelisting

Table of Contents

The patch described here was submitted to Mantis. Redirected from OpenMetaverse JIRA.

Do not use this patch, it is kept here for historical purposes. Instead use the following parameters placed in OpenSim.ini, in the [Startup] section: 

[Startup]
GrantLSL = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
GrantCS = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
GrantVB = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
GrantJS = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
GrantYP = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261

where the UUIDs 5998029f-ddde-4497-b3e1-b7a5d702742f and b02e3094-a3c6-4921-8dcf-5c33aea6c261 represent agent IDs that are allowed to use the compiler.

Shortnote

The following differential patch against OpenSim 0.7.4 allows the server administrator to lock-down script languages to specified UUIDs.

More precisely, nobody will be able to run scripts on the simulator unless they are specified on a comma-separated whitelist in the OpenSim.ini configuration file. This is useful, for example, for enabling hybrid C#-LSL scripting and whitelisting only certain agents that are allowed to use the C# language in order to limit access to the system.

The patch also enables the white-list functionality for all supported languages in OpenSim.

Downloading Binaries

The easiest procedure is to download the binaries from the following link:

this will download a zip file containing a DLL and an MDB named OpenSim.Region.ScriptEngine.XEngine.dll, respectively OpenSim.Region.ScriptEngine.XEngine.dll.mdb. You just need to replace the original files from your bin directory with the version you downloaded from DropBox and then proceed to the configuration section below.

Configuration File

To configure the list of UUIDs allowed to script on a region, we edit OpenSim.ini and insert the following line in the [XEngine] section: 

AllowScripting_c# = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
AllowScripting_vb = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
AllowScripting_js = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261
AllowScripting_yp = 5998029f-ddde-4497-b3e1-b7a5d702742f,b02e3094-a3c6-4921-8dcf-5c33aea6c261

where the UUIDs: 

5998029f-ddde-4497-b3e1-b7a5d702742f
b02e3094-a3c6-4921-8dcf-5c33aea6c261

represent agent UUIDs that are allowed to run scripts in this OpenSim instance.

The left-hand side of the equality: 

AllowScripting_c#
AllowScripting_vb
AllowScripting_js
AllowScripting_yp

represent the different script engines for which you can white-list agents.

The LSL engine is left up to the land-admin tools.

Defaults

  • If the configuration lines are omitted from the OpenSim configuration file, then permission is granted by default to that engine.
  • If the configuration reads an empty list of UUIDs, such as:
AllowScripting_c# =

then permission is granted by default to that engine.

Compiling your Own

Compiling your own patched version of OpenSim can be done by downloading OpenSim v0.7.4 and applying the patch provided on this page. After that OpenSim must be recompiled by issuing: 

sh runprebuild.sh
make

After a while, the result will be placed in the bin directory. If you already run a configured OpenSim at version 0.7.4, it is moderately safe to just replace the newly created bin/OpenSim.Region.ScriptEngine.XEngine.dll with the one on your server.

Applying the Patch

First we test that the patch applies with no rejections: 

cd opensim-0.7.4-source/OpenSim/Region/ScriptEngine/XEngine/
cat xengine_lockdown.patch | patch -p0 --dry-run
patching file XEngine.cs

Then we apply the patch for good: 

cat xengine_lockdown.patch | patch -p0

Now we can recompile the server.

Patch for OpenSim v.0.7.4

The patch is performed on OpenSim v0.7.4 - other versions may not apply correctly. Make sure to perform a dry run before applying the patch.

xengine_lockdown.patch
--- XEngine.cs	2013-01-31 20:53:32.000000000 +0000
+++ XEngine.cs	2013-02-01 04:14:31.000000000 +0000
@@ -1016,6 +1016,36 @@
 
             ScenePresence presence = m_Scene.GetScenePresence(item.OwnerID);
 
+            // Found at: http://grimore.org/opensim:server_patches:xengine_scripts_whitelisting
+            string language = script.Substring(2, 4).Trim();
+            string scriptPerm = "";
+            switch(language) {
+              case "c#":
+                scriptPerm = m_ScriptConfig.GetString("AllowScripting_c#", "");
+                break;
+              case "vb":
+                scriptPerm = m_ScriptConfig.GetString("AllowScripting_vb", "");
+                break;
+              case "js":
+                scriptPerm = m_ScriptConfig.GetString("AllowScripting_js", "");
+                break;
+              case "yp":
+                scriptPerm = m_ScriptConfig.GetString("AllowScripting_yp", "");
+                break;
+              default:
+                break;
+            }
+            if(scriptPerm == "") goto ScriptOK;
+            string[] ids = scriptPerm.Split(new char[] {','});
+            foreach(string id in ids) {
+                string current = id.Trim();
+                UUID uuid;
+                if(!UUID.TryParse(current, out uuid)) continue;
+                if(item.OwnerID == uuid) goto ScriptOK;
+            }
+            return false;
+            ScriptOK:
+
             string assembly = "";
 
             CultureInfo USCulture = new CultureInfo("en-US");
opensim/server_patches/xengine_scripts_whitelisting.txt · Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / opensim / server_patches / xengine_scripts_whitelisting

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.