Mod download security?

Anything that prevents you play the game properly. Do you have issues with paying for the game, downloading it or properly running it on your computer? Let us know here.
Post Reply
republikanen
Inserter
Inserter
Posts: 21
Joined: Sat May 25, 2019 11:34 pm
Contact:

Mod download security?

Post by republikanen »

I have heard that the factorio game is "sandboxing" mod code.

But still I want to ask the question:

How safe are you from viruses and malware when downloading mods from a public server when you do not know who started it?

(I am using MacOS)

robot256
Fast Inserter
Fast Inserter
Posts: 218
Joined: Sun Mar 17, 2019 1:52 am
Contact:

Re: Mod download security?

Post by robot256 »

I don't think Factorio ever downloads mods from a game server. It downloads a list of mods to retrieve from the official mod portal. If the server is running custom or altered mods, you have to install them manually from some other source, or the server will not let you join (mod checksum mismatch).

Mods cannot run native code or alter base game code like they do in Minecraft. Every mod script is downloaded in plain text and interpreted during execution by the game engine. The only way to interact with the game is through specific API calls which most (all?) have some degree of input sanitation. The only API-allowed interactions outside the game are writing (not reading) text log files in the game directory, and reacting to keyboard and mouse commands captured by the game.

For a mod to escape the sandbox API and alter your OS, or even just the base game, there would need to be some serious flaws in the Lua engine and C++ code that combine in a particular way. I don't know how to judge the likelihood of that.

User avatar
BlueTemplar
Smart Inserter
Smart Inserter
Posts: 2264
Joined: Fri Jun 08, 2018 2:16 pm
Contact:

Re: Mod download security?

Post by BlueTemplar »

You can also send commands to Factorio from your OS via RCON :

What's the use of RCON ?
viewtopic.php?f=49&t=91503

Is it possible to create your own client?
viewtopic.php?f=69&t=92520

RCON in Single Player or when hosting a MP game from the GUI
boskid wrote:
Tue Oct 27, 2020 7:49 am
RCON in single player will not happen. There is no need to run headless + client to have RCON on localhost: in the config file there is `local-rcon-socket` and `local-rcon-password` (also available through the hidden settings: while in main menu hold Ctrl+Alt and press "Settings" then go to "The rest") - with this it is possible to run single instance that is hosting MP game with graphics for local player and with rcon enabled.

Examples :

Bidirectional IRC bridge for Factorio
https://pypi.org/project/factoirc/

Factorio RCon V1.0.2 W/Whitelisting
viewtopic.php?t=27540

Factorio RCON GUI
viewtopic.php?f=133&t=100872
Image

Clusterio
https://alt-f4.blog/ALTF4-18/

(Aaand I now realize that this is basically offtopic - since to be able to use this weird channel that is MP Factorio that person would have to compromise your OS first, but now I have spent too much time trying to figure out how the hell the OS => Factorio communication works (it's almost never explained for some reason ..?) to just delete these notes... :lol: )

republikanen
Inserter
Inserter
Posts: 21
Joined: Sat May 25, 2019 11:34 pm
Contact:

Re: Mod download security?

Post by republikanen »

Thank you robot256 very much for this excellent and exhaustive answer!!

Now I am able to trust all the mods I am playing both in single mode and in multiplayer!
robot256 wrote:
Wed Jan 12, 2022 4:46 pm
I don't think Factorio ever downloads mods from a game server. It downloads a list of mods to retrieve from the official mod portal. If the server is running custom or altered mods, you have to install them manually from some other source, or the server will not let you join (mod checksum mismatch).

Mods cannot run native code or alter base game code like they do in Minecraft. Every mod script is downloaded in plain text and interpreted during execution by the game engine. The only way to interact with the game is through specific API calls which most (all?) have some degree of input sanitation. The only API-allowed interactions outside the game are writing (not reading) text log files in the game directory, and reacting to keyboard and mouse commands captured by the game.

For a mod to escape the sandbox API and alter your OS, or even just the base game, there would need to be some serious flaws in the Lua engine and C++ code that combine in a particular way. I don't know how to judge the likelihood of that.

Post Reply

Return to “Technical Help”