Here is the proposal for how to prevent non-administrators from permanently changing core code in the game.
[x] Have the in-game commands for uploading files (and eventually editing them) check the user's name against a set specifying which users are administrators. Or, use a dictionary to specify which users can modify a given directory. @1BayShore I believe this is already in place?
This does not prevent a malicious wizard from modifying that set or directory to give themselves administrator privileges using the "execute" command - to do so would be quite complicated
But, it should stop novice wizards from accidentally overwriting core game objects.
To prevent malicious wizards from permanently ruining the game, the plan is to use UNIX permissions to ensure only trusted administrators can change any of the core game files:
[x] Create a separate UNIX user (e.g. "cedric" or "dluebke") on the EC2 instance for each person we anoint as a game administrator.
An administrator, by definition, has a login on the EC2 machine and will have full rights to modify any game code on that machine.
Administrators will probably also have push and merge rights on github.
[x] Create a UNIX group gameadmins on the EC2 instance that includes the usernames of any game administrators. All game code directories and files will belong to this group.
[x] Create a separate UNIX user gameserver for running the game, including the periodic restarts.
[x] chmod all core game code (the top-level directory, basically) to be readable by all but writable only by user and group (which is gameadmins)
[x] chmod all domain code to be readable and writeable by all, including the gameserver user
Eventually we'll want separate UNIX groups for each domain, with permissions to match for domain and wizard code; for now, making all non-core code globally writeable seems easiest.
[x] Create a special UNIX user gitbot which runs the periodic git pull commands, and which belongs to the gameadmins group so that it can overwrite files in the core directories.
Set up a cron job, run as gitbot, to do the git pull command.
Move this functionality out of the game-reboot loop run by gameserver.
Use a cron job to restart the game in sync with the git bot's updating from github.
Have the game shut itself down at the correct time, specified on the command line by the script that gameserver runs via cron.
Here is the proposal for how to prevent non-administrators from permanently changing core code in the game.
To prevent malicious wizards from permanently ruining the game, the plan is to use UNIX permissions to ensure only trusted administrators can change any of the core game files:
cedric" or "dluebke") on the EC2 instance for each person we anoint as a game administrator.gameadminson the EC2 instance that includes the usernames of any game administrators. All game code directories and files will belong to this group.gameserverfor running the game, including the periodic restarts.chmodall core game code (the top-level directory, basically) to be readable by all but writable only by user and group (which isgameadmins)chmodall domain code to be readable and writeable by all, including thegameserverusergitbotwhich runs the periodicgit pullcommands, and which belongs to thegameadminsgroup so that it can overwrite files in the core directories.cronjob, run asgitbot, to do the git pull command.gameserver.gameserverruns via cron.