Wednesday, 15 April 2015

NOTICE: OSSL implementation changes for Paramour products

As of Opensim Git #2e1f5bb (r/25931 2015-04-14) the method for enabling and configuring OSSL functions in a region has been changed (much to the better in my opinion).

Currently the default osslEnable.ini file included with this installation will globally disable the two animation functions that are used by most of my Paramour products including the Dancemaster system, Polemaster system, and PMAC sytem. In order for those systems to work you will need to change them from "false" to a suitable permission value.

The owner of the script for those systems will require permission to use those functions. I strongly recommend only enabling them for ESTATE_OWNER and, perhaps, ESTATE_MANAGER and/or PARCEL_OWNER (depending on your levels of trust in people who hold those positions and who the object owners are likely to be).

There is no possible way to alter the Paramour scripts to avoid using those functions as they are integral the to the products' ability to handle animations for multiple avatars with a single script. Disabling them would then immediately require an additional script per possible user and an entirely different method of handling and triggering animations, completely negating all of the advantages of the system.

The other OSSL functions that Paramour products use are enabled (at least for estate owner and estate managers) in the supplied ini file but for your specific installation might also require a tweak to enable a necessary function for a parcel owner.

You will find the animation function settings in the threat level "VeryHigh" section of the file at approx. line 209.

Example:

  Allow_osAvatarPlayAnimation =     ESTATE_OWNER, ESTATE_MANAGER
  Allow_osAvatarStopAnimation =     ESTATE_OWNER, ESTATE_MANAGER


This will allow the Paramour systems to work properly without exposing your users to malicious scripts (other than from people who are granted those permissions).

2 comments:

  1. Aine, can't you use the safer osNpcPlayAnimation and osNpcStopAnimation... a comment in ossEnable.ini indicates these safer versions replaced the earlier avatar general ones.

    ReplyDelete
  2. No -- it's avatars that are being animated by the majority of my products. They simply *also* include the ability to rez and animate NPCs too.

    Those functions are only "unsafe" if someone uses them in a script for malicious purposes. By limiting them to ESTATE_OWNER, ESTATE_MANAGER and perhaps PARCEL_OWNER you're not in any way increasing "risk" since those all have the ability to do other malicious things anyway via other means. If they abuse that privilege to a guest, the quest can just leave, then report it to the grid manager who can subsequently take appropriate action. You just don't want to expose those functions for random visitors to use.

    Quite honestly, my view is that all ossl functions with the exception of osConsoleCommand can usually be safely allowed for those three user levels since abuse of those functions is typically a "threat" only in the sense of griefing or otherwise making a visitor's experience unpleasant. Ones that expose the server or grid to malicious effects are very few and far between and anyone intent on doing that can find other means to achieve much the same effect anyway. The only *extremely* risky one to a region host is osConsoleCommand

    ReplyDelete