Page 1 of 1
Mod download security?
Posted: Wed Jan 12, 2022 7:19 am
by republikanen
I have heard that the factorio game is "sandboxing" mod code.
But still I want to ask the question:
How safe are you from viruses and malware when downloading mods from a public server when you do not know who started it?
(I am using MacOS)
Re: Mod download security?
Posted: Wed Jan 12, 2022 4:46 pm
by robot256
I don't think Factorio ever downloads mods from a game server. It downloads a list of mods to retrieve from the official mod portal. If the server is running custom or altered mods, you have to install them manually from some other source, or the server will not let you join (mod checksum mismatch).
Mods cannot run native code or alter base game code like they do in Minecraft. Every mod script is downloaded in plain text and interpreted during execution by the game engine. The only way to interact with the game is through specific API calls which most (all?) have some degree of input sanitation. The only API-allowed interactions outside the game are writing (not reading) text log files in the game directory, and reacting to keyboard and mouse commands captured by the game.
For a mod to escape the sandbox API and alter your OS, or even just the base game, there would need to be some serious flaws in the Lua engine and C++ code that combine in a particular way. I don't know how to judge the likelihood of that.
Re: Mod download security?
Posted: Wed Jan 12, 2022 8:00 pm
by BlueTemplar
You can also send commands
to Factorio from your OS via RCON :
What's the use of RCON ?
viewtopic.php?f=49&t=91503
Is it possible to create your own client?
viewtopic.php?f=69&t=92520
RCON in Single Player or when hosting a MP game from the GUI
boskid wrote: ↑Tue Oct 27, 2020 7:49 am
RCON in single player will not happen. There is no need to run headless + client to have RCON on localhost: in the config file there is `local-rcon-socket` and `local-rcon-password` (also available through the hidden settings: while in main menu hold Ctrl+Alt and press "Settings" then go to "The rest") - with this it is possible to run single instance that is hosting MP game with graphics for local player and with rcon enabled.
Examples :
Bidirectional IRC bridge for Factorio
https://pypi.org/project/factoirc/
Factorio RCon V1.0.2 W/Whitelisting
viewtopic.php?t=27540
Factorio RCON GUI
viewtopic.php?f=133&t=100872
Clusterio
https://alt-f4.blog/ALTF4-18/
(Aaand I now realize that this is basically offtopic - since to be able to use this weird channel that is MP Factorio that person would have to compromise your OS
first, but now I have spent too much time trying to figure out how the hell the OS => Factorio communication works (it's almost never explained for some reason ..?) to just delete these notes...
)
Re: Mod download security?
Posted: Thu Jan 13, 2022 8:26 am
by republikanen
Thank you robot256
very much for this excellent and exhaustive answer!!
Now I am able to trust all the mods I am playing both in single mode and in multiplayer!
robot256 wrote: ↑Wed Jan 12, 2022 4:46 pm
I don't think Factorio ever downloads mods from a game server. It downloads a list of mods to retrieve from the official mod portal. If the server is running custom or altered mods, you have to install them manually from some other source, or the server will not let you join (mod checksum mismatch).
Mods cannot run native code or alter base game code like they do in Minecraft. Every mod script is downloaded in plain text and interpreted during execution by the game engine. The only way to interact with the game is through specific API calls which most (all?) have some degree of input sanitation. The only API-allowed interactions outside the game are writing (not reading) text log files in the game directory, and reacting to keyboard and mouse commands captured by the game.
For a mod to escape the sandbox API and alter your OS, or even just the base game, there would need to be some serious flaws in the Lua engine and C++ code that combine in a particular way. I don't know how to judge the likelihood of that.