[JIRA] Issue Comment Edited: (SVC-5054) No-Modify object is modifiable: anyone can disassemble and steal its contents

Harleen Gretzky (JIRA) no-reply at lindenlab.cascadeo.com
Sat Nov 21 02:19:01 PST 2009


    [ http://jira.secondlife.com/browse/SVC-5054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=147992#action_147992 ] 

Harleen Gretzky edited comment on SVC-5054 at 11/21/09 2:18 AM:
----------------------------------------------------------------

It's not a moot point, it is one of the reasons you need to use a boxed item, a boxed item that if no-mod will break if you cannot remove the contents.

{quote}
Using a script to remove the content is allowing the script to decide which of its content can be removed, and which will not selectively, such as you only deliver the clothing items but not the script containing llGiveInventoryList(). Dragging it directly out of its content will allow the user to take everything out, including your llGiveInventoryList() script that you are not selling to the end-user. The permission is decided upon by the prim, i.e., the creator, not the customer. That is what a permission system is - decided by the creator but not the end-user.
{quote}
Not the point, if the permission system does not allow for content removal then the script will not be able to give the contents out to deliver them. The end-user owns the box now, which means they own the contents, which means they are the owner of the script. Since the end-user is the owner of the script, the script is restricted to the same permissions as the end-user.

      was (Author: Harleen Gretzky):
    It's not a moot point, it is one of the reasons you need to use a boxed item, a boxed item that if no-mod will break if you cannot remove the contents.

{quote}
Using a script to remove the content is allowing the script to decide which of its content can be removed, and which will not selectively, such as you only deliver the clothing items but not the script containing llGiveInventoryList(). Dragging it directly out of its content will allow the user to take everything out, including your llGiveInventoryList() script that you are not selling to the end-user. The permission is decided upon by the prim, i.e., the creator, not the customer. That is what a permission system is - decided by the creator but not the end-user.
{quote}
Not the point, if the permission system does not allow for content removal then the script will not be able to give the contents out to deliver them.
  
> No-Modify object is modifiable: anyone can disassemble and steal its contents
> -----------------------------------------------------------------------------
>
>                 Key: SVC-5054
>                 URL: http://jira.secondlife.com/browse/SVC-5054
>             Project: 2. Second Life Service - SVC
>          Issue Type: Bug
>          Components: Permissions
>    Affects Versions: 1.32 Server
>            Reporter: Nicole Lassally
>            Priority: Critical
>
> You can take contents out of a no-modify object!
> To reproduce permission bug:
> * Create an object
> * Set permission to copy-only (no-modify and no-transfer)
> * Put anything into its content with any permission, i.e., create a script with no-permission or drop an object with no-permission.
> * Give this object to someone
> * Once delivered, rez the object in-world and open its content
> * Copy all its contents (scripts including) into inventory
> * The contents deliver into inventory
> This means that anyone can disassemble all the scripts, texture or anything inside out of an NO-MODIFY object, and steal them from the object and use them on other object even when the object is no-modify supposedly!
> No-mod does not allow anyone to unlink or edit any of the prims in the object, but why does it allow people to dissemble its content and remove them out of the content and put it in the inventory and then use those parts to build their own object?  That is not what NO-MODIFY means.
> This is a big SECURITY RISK because someone can potentially take the payment script out of a NO-MODIFY object and put it into your own object and steal money from someone else.
> To make it clearer, you cannot drop things (scripts, textures or whatever) into the content of the no-mod object, BUT you can take things (scripts, texture, etc.) out of it from the object.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.secondlife.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


More information about the Jira-notify mailing list