To me it seems like an ideal solution to use anonymous objects.
Jay Carlson wrote:
[...]
> Anyway, what would you do differently?I think there may be some scope in tying object access rules to the
object scoping rules. That would limit the possible interactions to only
those objects which are physically present.
If we're willing to contemplate a radical redesign, it might be worth
stealing ideas from the capability-based OS people: instead of having
object IDs have limited-access tokens that you have to petition other
objects for. The player gets given a token to the room they're in; they
can ask that room for the tokens of visible objects in that room; one of
them is the fruit bowl; the fruit bowl gives them the token of the
banana. If you put the fruit bowl in the glass cabinet, the cabinet
ensures that the tokens it hands out for its contents don't give you
permission to call any methods that require physical access to the
contents. That means the player's code can examine the banana but not
peel it, and the security model enforces this.
On Apr 2, 2013, at 11:21 AM, David Given wrote:You can set $server_options.protect_suspend. There's always programmer.queued_task_limit too.
> Todd Sundsted wrote:
> [...]
>> Why don't you want to allow them to program directly in MOOcode?
>
> There are things that MOOcode allows which I don't want the users to be
> able to do. One is:
>
> while (1)
> suspend(0);
> endwhile
> StiI haven't found a way to protect the system from this yet.
In theory, bozos with queued tasks go to the end of the line with the scheduler too, but your load average will peg at 1.0. But that's in a world where a lag meter returns non-zero.
> Another reason is it doesn't seem possible to generally prevent oneLife would be boring if other people couldn't talk to you people or you couldn't be moved. People climb into the Human Cannon and then have .sessile or some other refuse-to-:moveto set. It violates the consensus reality contract if the cannon is fired but people inside don't go out the barrel. So anybody left over gets :eject()ed; a $room owner can throw any object out because of the wiz perms on $room:eject().
> player from calling methods belonging to another object.
Anyway, what would you do differently? There are not that many systems out there trying to cope with mutually-suspicious programmers, so this really is an open question. I've been trying to figure out the live-Wiki analog to MOO for years now and haven't quite gotten the model straight. My latest attempts have returned to the ability of programmers to add their own private properties/annotations to objects but still keeping the suid-by-default model.
> Also, unfortunately, the> guy I'm trying to sell this to (in a mind-share sense) likes Python...Aw, can't you make the "it's a game! we should use Lua! Lua is for games!" argument?
Jay
On Apr 3, 2013 12:21 PM, "David Given" <d...@cowlark.com> wrote:
>
> Jay Carlson wrote:
> [...]
> > Anyway, what would you do differently?
>
> I think there may be some scope in tying object access rules to the
> object scoping rules. That would limit the possible interactions to only
> those objects which are physically present. It makes intuitive sense
> that in order to be able to peel the banana, you have to be able to see
> inside the fruit bowl. Remote peelings would hardly ever be useful.
>
> Of course, for performance reasons this would probably require baking
> the scoping model into the server...
>
> If we're willing to contemplate a radical redesign, it might be worth
> stealing ideas from the capability-based OS people: instead of having
> object IDs have limited-access tokens that you have to petition other
> objects for. The player gets given a token to the room they're in; they
> can ask that room for the tokens of visible objects in that room; one of
> them is the fruit bowl; the fruit bowl gives them the token of the
> banana. If you put the fruit bowl in the glass cabinet, the cabinet
> ensures that the tokens it hands out for its contents don't give you
> permission to call any methods that require physical access to the
> contents. That means the player's code can examine the banana but not
> peel it, and the security model enforces this.
>
> It's tough, though. Ensuring that token leakage doesn't happen is
> expensive. And I've no idea how user friendly it would be to use.
Consider a new class of objnums which are indirect and resolve dynamically.
#-10 could be "my location". Calling #-10:contents() would turn into a call on #1234:contents(), except with some analog of "caller" or "player" set to #-10 still. The location would know it was being accessed through a local name.
Setting up the dynamic environment is a bit tricky. I think suspend() and fork should tear down any existing bindings.
This might also clarify some long-standing niggles in how !x verbs work; a #-20 resolving to dobj and #-21 resolving to iobj could get those symbols out of the verb local variable environment.
Hell, player could go.