What do the "sanitizeMondules (x) lua commands do?

[AKA_Clutter]

Hi,

 

I'm looking at running the Liberation Campaign on a decicated server.  To set that up, the have you commenting out three lines in MissionScripting.lua file.  The lines are the sanitizeModule ('os'),  sanitizeModule ('io), and sanitizeModule (lfs).

 

What do these lines actually do and what impact will it have in commenting these out.

Edited April 10, 2022 by AKA_Clutter

[cfrag]

Lua comes with libraries to fully access your PC. The 'sanitize' commands essentially disable those modules.

If you comment them out, these modules' methods can be invoked by any script that your missions run. An attacker may then use a .miz as an attack vector to execute arbitrary code on your machine, or read/write arbitrary data. DCS isn't sandboxed, and the sanitize command is DCS's approach to wall off a mission's Lua environment from the rest of your system. The problem is, without these libraries, Lua scripts inside a mission can't write data to your system's permanent storage, and so persistence is impossible beyond the scope of the mission running in memory. So missions that want to save data need access to lfs and io. If you comment them out, they can read and write data. And so (potentially) can any other Lua script running in DCS.

os is the operating system (date, time, local processes) library for Lua -- be a bit more wary if someone wants access to this.

lfs is the file system (directory manipulation) access library for Lua

io is the input/output (file reading/writing) module for Lua

Commenting them out is usually not that consequential, just remember that you have a potential vector for for ill intent, and be cautious.  

 

 

Edited April 10, 2022 by cfrag