SMF Development > Applied or Declined Requests
Disable certain admin functions with config file
neothemachine:
Hi emanuele!
--- Quote from: emanuele on June 24, 2012, 04:19:06 AM ---Additionally, as soon as an hacker becomes admin he could install a mod that gets from the database only the informations the hacker needs instead of everything.
--- End quote ---
It's funny that you mention that. In fact, our hacker tried to install a vB plugin (some crazy encrypted haxx0r script) through the web forms but he didn't succeed as the it was a TEXT field in the database which can only hold 65k chars and the script was longer. I guess he didn't even see that it got truncated.
But what I'm really saying is: I'd rather only install mods by manually uploading them through FTP or whatever. That's the safest way I guess.
Arantor:
--- Quote ---I'd rather only install mods by manually uploading them through FTP or whatever. That's the safest way I guess.
--- End quote ---
Funny you should mention that, I know a number of people who've avoided platforms (XenForo in particular) because that was the only way to do things, because it's not as nice as using the web interface.
I started working on a way to upload mod packages but do so only via FTP (through the web interface) so that the package itself would not be owned by the webserver but by the user opening the package, to limit the damage hackers on the server could do, but never finished it. It would meet your requirements as a side-effect, because it wouldn't allow doing anything without the FTP password.
neothemachine:
I think that could be a nice compromise. But you should always allow devs to manually install mods. I found the approach of Vanilla quite nice. You basically just extract a self-contained plugin folder to the plugins directory and that's it. Then you can enable and disable it through the web interface. This is particularly nice because it plays well with source control systems. I guess this is only possible because they completely rely on a hook-architecture and not actually have "mods".
Arantor:
--- Quote ---But you should always allow devs to manually install mods
--- End quote ---
With the system I have in mind, no mods are able to touch the main code anyway. Any changes would have to be done manually, because plugins don't have the power.
--- Quote --- You basically just extract a self-contained plugin folder to the plugins directory and that's it.
--- End quote ---
Exactly what I have in mind, but I also want to give the user a way to do it without having to fire up an FTP client, e.g. they're not at home and thus don't have access to their regular FTP client.
--- Quote --- I guess this is only possible because they completely rely on a hook-architecture and not actually have "mods".
--- End quote ---
Yup, as does the setup I have in mind.
neothemachine:
Sounds great! When you have a first working version out, I'd be interested to provide feedback if you want.
By the way: I hate the captchas in this forum! :D They're too difficult to read. Did someone consider using reCaptcha?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version