Superman code and security

[RyuMaster]

There is nice script of superman on the resources site.  https://community.multitheftauto.com/index.php?p=resources&s=details&id=5477 Someome even modifier it to work only for 'admin' groups. But I am new to the mta, and here I thinking, isn't this a big security hole?  Seems like superman movements are all calculated on client side, even the check for 'admin' is done on client side. I know that mta has anti-cheat engine, does it prevents stuff like this of being modified? Or if not, what is the actual way to make that script secure, i.e. only usable by admins?

Edited January 16, 2017 by RyuMaster

[LoPollo]

On 16/1/2017 at 5:08 PM, RyuMaster said:

Seems like superman movements are all calculated on client side

They are

On 16/1/2017 at 5:08 PM, RyuMaster said:

the check for 'admin' is done on client side

Well, actually the script is usable for who is in the team "Admins", and that doesn't mean necessary that he's an admin (getTeamName). But i doubt that servers will make a team called "Admins" for non-admin players.

On 16/1/2017 at 5:08 PM, RyuMaster said:

I know that mta has anti-cheat engine, does it prevents stuff like this of being modified?

I'm not expert about this, but in the worst case (with this script) a non-admin will be able to fly. I don't think it does really matter since he will then be recognised by everyone who see him and thus get banned/kicked/whatever. I think it's not easy to hack even the team part, and for sure it's not worth it.

On 16/1/2017 at 5:08 PM, RyuMaster said:

he actual way to make that script secure

Doing checks not on the team but on the isObjectInACLGroup, and then telling the client is able or not to fly (and yet this could be hacked). But still the calculation of velocity etc must be done clientside to obtain "smoothness" and "responsiveness".

 

So, the script, after a quick read, seems ok.

 

NOTE: i'm not expert about hacking of MTA and EVERYTHING of what i said is not tested in any pratical way. If anyone has any further detail i hope to see it.

Edited January 17, 2017 by LoPollo

[Addlibs]

I suppose a successful way to detect misuse (or unauthorised use) is to regularly (but not too often to avoid overloading the server, especially at high player counts) monitor the element data superman:flying of all players server-side, and if someone appears to have this data set to true without meeting the criteria (i.e. wrong team), issue a ban or inform an admin to investigate the situation.

Edited January 17, 2017 by MrTasty

[RyuMaster]

I see, thank you for letting me know. So basically I should implement some basic anti-cheat checks for my scripts similar to this one. 

May you explain some stuff on ACL here more, I just can not wrap my head around it. I can see people doing  isObjectInACLGroup() checks in their scripts. But, I have this vague idea after reading the wikipedia, that if I set, say, resource 'superman' permission to run only for admin group inside ACL, this makes this  isObjectInACLGroup() check redundant? Or not? What is the point of making resource available only to admins inside ACL groups if we have  isObjectInACLGroup() check? Are they different?

[LoPollo]

a resource in admin acl group is a resource that have access to functions available to that acl group: see acl.xml (if i remember right), it will help you have an idea on this