Jump to content
Sign in to follow this  
Perrie Juran

Revoking Permissions

Recommended Posts

I am not sure where else to pose this question and this seemed to me to be the most appropriate section of the forum to ask this.

In the Lifestyles and Relationship sub forum there is a thread about an item called "The Master's Band."

http://community.secondlife.com/t5/Lifestyles-and-Relationships/Master-s-Band/m-p/1112071/message-uid/1112071#U1112071

In that thread, a poster makes the statement that once you grant another Avatar permission to animate your Avatar through this item like can be done with a scripted collar or an RLV enabled viewer, that their is no way to revoke this permission.

"The only way for this to work, is for the person wearing the band to scan avatars nearby with it, select one, the person will get a drop down permissions window and they would have to select "Yes."  So, this is an opt in device.  If they were to click "No," the band owner would have no power over them.  As I said before, if someone clicks Yes on the permissions window, there is no way for them to EVER remove themselves from it.  The owner of the band has to do it him/her self. There is no way to use it on "passersby."  They would have to opt in."  (pertinent statement bolded)

Personally, I am having a hard time buying this possibility.

Thanks in advance for your input.

Perrie

  • Like 1

Share this post


Link to post
Share on other sites


Perrie Juran wrote:

As I said before,
if someone clicks Yes on the permissions window, there is no way for them to EVER remove themselves from it.
 

 

Doesn't relogging revoke an animation permission? So does "stop animating my avatar" in the viewer menu, afaik.

Share this post


Link to post
Share on other sites

This is in regards to privelages not animations. If you opt in as said, to be controlled by the person who has a controlling device, you cannot remove control. However if you as the submissive are the owner of the device and wish to remove who is granted ownership and able to manipulate the device remotely you can, or SHOULD be able to. 

RLV items should always have a remove Master/Mistress option, otherwise they would be very sucky items lol.

 

VR Foundry Products for the WIN!

 

 

Share this post


Link to post
Share on other sites


Rolig Loon wrote:

The bug described in
 is apparently still there, so this may be true, for now. I've never played with it to see, though, so I don't any more than this.

Very interesting that Maestro said it was reproduce-able and probably worth fixing.

Probably the only reason it is only probably worth fixing is probably we haven't seen it used as a griefing tool.  Probably that is.

Share this post


Link to post
Share on other sites

Also interesting that it has been in the JIRA as a Major bug since 2007.   You probably ought to add your concern to the JIRA.  Maybe it will jog someone into working on it.

Share this post


Link to post
Share on other sites

I thought they had fixed the requesting null permissions bug =( but apparently it only works for auto-permissions (sitting/attached)

in general permissions stay in the script as long as they valid (auto permissions expire when standing/detached)... that means granted permissions normally stay forever (I built a reduced spam hugger on this, that only requested permissions once... and a voodoo doll =X)

 

phoenix has the ability to revoke granted permissions, both automatically and manually, but the main viewer has never had that ability to my knowledge (losing permission on logout would be bad for items that require them to function)

Share this post


Link to post
Share on other sites


Void Singer wrote:

I thought they had fixed the requesting null permissions bug =( but apparently it only works for auto-permissions (sitting/attached)

in general permissions stay in the script as long as they valid (auto permissions expire when standing/detached)... that means granted permissions normally stay forever (I built a reduced spam hugger on this, that only requested permissions once... and a voodoo doll =X)

 

phoenix has the ability to revoke granted permissions, both automatically and manually, but the main viewer has never had that ability to my knowledge
(losing permission on logout would be bad for items that require them to function)

 

Can you give examples of something that would REQUIRE this? 

Share this post


Link to post
Share on other sites


Perrie Juran wrote:


Probably the only reason it is only probably worth fixing is probably we haven't seen it used as a griefing tool.  Probably that is.


Unfortunetly there is at least one griefing tool out there that is using this.  And the permission is persistant as long as the script is not reset.

Share this post


Link to post
Share on other sites

debit and change links for absolute needs.... vendors are a pretty obvious example, but there are also customization factories and other items that need to run even if their owner isn't around for the latter.

for the rest it's a matter of convenience and non-annoyance.... which includes anything that doesn't attach to you, or you aren't sitting on.... the memory huger is one example, it cuts out a second dialog, there are dance balls and chims that do the same thing, as well as pets and cam followers too.

Share this post


Link to post
Share on other sites

The relevant jira, as well as the one noted by Rolig, is probably this one: VWR-13228 :Object can obtain and retain permissions indefinitely without avatar's knowledge and no way of knowing who took it - possible security issue

LL is apparently well aware of the problem, but designing a fix that won't break existing legitmate content is apparently proving rather tricky, as the comments in that lengthy thread indicate.

Share this post


Link to post
Share on other sites

I believe that part is fixed for any new content.... auto-grant perms are still wiped when getting up....

 

I think the remaining case is more the social problem of being tricked into granting permissions via dialog, by an object that seems harmless, then having those permissions used against you (such as how my voodoo doll worked, and why I never marketed it, even though I built in limits on use).

 

if one uses Phoenix, they can revoke, but the vaniLLa viewer provides no such function, so the market hype as quoted by Perrie is indeed true for most people. I gather from comments that it's possible that even the phoenix revocation doesn't work on items attached to other avatars.

Share this post


Link to post
Share on other sites


Perrie Juran wrote:

I am not sure where else to pose this question and this seemed to me to be the most appropriate section of the forum to ask this.

In the Lifestyles and Relationship sub forum there is a thread about an item called "The Master's Band."



In that thread, a poster makes the statement that once you grant another Avatar permission to animate your Avatar through this item like can be done with a scripted collar or an RLV enabled viewer, that their is no way to revoke this permission.

"The only way for this to work, is for the person wearing the band to scan avatars nearby with it, select one, the person will get a drop down permissions window and they would have to select "Yes."  So, this is an opt in device.  If they were to click "No," the band owner would have no power over them.  As I said before,
if someone clicks Yes on the permissions window, there is no way for them to EVER remove themselves from it.
  The owner of the band has to do it him/her self. There is no way to use it on "passersby."  They would have to opt in."  (pertinent statement bolded)

Personally, I am having a hard time buying this possibility.

Thanks in advance for your input.

Perrie

Perrie,

You can "buy" what I said or not.  What I'm telling you is that I have people who are still in my Master's Band that have been there since I got the thing to control my subs back in 2008.  They were put in then and are still in it now.  I tested it again today after having it in mothballs for over a year, and yes, I was still able to control one of the people who was still in the list. 

If memory serves, there is a max distance one has to stay within (96m) of the sub, or the command doesn't work.  Not positive about that though.  It's been long enough I don't remember.  It may be you have to be on the same sim. 

But this band works just as I have stated it does.  Once permission is granted from the dropdown menu, only the owner of the band can remove the person from it. 

Share this post


Link to post
Share on other sites

Marcus Hancroft wrote:

Perrie,

You can "buy" what I said or not.

 

Are you faulting me for taking this to an 'impartial jury' so to speak in order to find out more?  I really hope not.  And given the details of this security flaw, details that are starting to creep out into the public eye, I am glad that I pursued this matter.

I have no reason to believe that you personally have any nefarious intentions.  But sadly there are others who log into Second Life with the sole intent of getting their jollies by harassing others.  And as I stated above, I now believe that this has been going on 'under the radar.' 

I never discount things because there exists a potential for abuse.  I wouldn't say let's get rid of the automobile simply because someone could choose to use it as a weapon.  But I don't believe that having an irrevocable permission running in Second Life is in the best interest of the Residents.

 

Share this post


Link to post
Share on other sites


Perrie Juran wrote:


Marcus Hancroft wrote:

Perrie,

You can "buy" what I said or not.

 

Are you faulting me for taking this to an 'impartial jury' so to speak in order to find out more? 
I really hope not.  And given the details of this security flaw, details that are starting to creep out into the public eye, I am glad that I pursued this matter.

I have no reason to believe that you personally have any nefarious intentions.  But sadly there are others who log into Second Life with the sole intent of getting their jollies by harassing others.  And as I stated above, I now believe that this has been going on 'under the radar.' 

I never discount things because there exists a potential for abuse.  I wouldn't say let's get rid of the automobile simply because someone could choose to use it as a weapon.  But I don't believe that having an irrevocable permission running in Second Life is in the best interest of the Residents.

 

Absolutely not.  It sounded to me from the way you said it that you didn't believe me when I said the permissions can not be revoked by the sub.  I was just trying to assure you that it is true.  I used my band to control the subs that belonged to me, and one other who didn't but wanted to be on my band anyway and I never used it to grief anybody. 

Share this post


Link to post
Share on other sites

I share some of your concern, Perrie.  As Void and Innula point out, though, it's tough to see how to make some permissions revocable without, for example, breaking vendors that depend on PERMISSION_DEBIT being  persistent.  I can think of a handful of other LSL functions that can easily be used for evil but are indispensible for many applications. 

Share this post


Link to post
Share on other sites

the simple solution is just to add revocation to the viewer code.... this would solve both the problem of people tricking permissions out of others, and scam items given to others (like debit siphons)...

I see no need to auto revoke permissions that are granted normally, as they are a major convenience and neccesity in some cases... just need the ability to revoke already granted ones when you want.

Share this post


Link to post
Share on other sites

I guess the difficulty -- one difficulty, anyway -- must be to find a way to communicate to a script in an object that's not necessarily on the same sim, and, indeed, not necessarily rezzed in world at all, that it no longer has permission to animate someone. 

Share this post


Link to post
Share on other sites

Phoenix Permissions.JPG

Firestorm Protection.JPG

 


Void Singer wrote:

the simple solution is just to add revocation to the viewer code.... this would solve both the problem of people tricking permissions out of others, and scam items given to others (like debit siphons)...

I see no need to auto revoke permissions that are granted normally, as they are a major convenience and neccesity in some cases... just need the ability to revoke already granted ones when you want.

I don't know how well these functions actually work in Phoenix and Firestorm, I have always left this set at the default function.

Also, I don't know how well this would work against the function in question here.

I'm not particularly up to the job of playing guinea pig here.

I do wonder if you knew who the controller was, if muting that individual would stop the action?

Share this post


Link to post
Share on other sites


Perrie Juran wrote:

[...] I do wonder if you knew who the controller was, if muting that individual would stop the action?

unfortunately, no.

 

@Innulla

I believe any call to use it must be made from the same region, so if it's done against you, the trickster needs to be in the same region, or at least their object, if not, then no worries. and I believe the permissions break if they try from a different region.... that only really leaves the case of copiable objects in inventory, which could be solved by adding the packet to mute as well (assuming the viewer actually knows who the animator is, in which case it could be added to the push/bump list too to identify them)

Share this post


Link to post
Share on other sites


Perrie Juran wrote:


Void Singer wrote:

the simple solution is just to add revocation to the viewer code.... this would solve both the problem of people tricking permissions out of others, and scam items given to others (like debit siphons)...

I see no need to auto revoke permissions that are granted normally, as they are a major convenience and neccesity in some cases... just need the ability to revoke already granted ones when you want.

I don't know how well these functions actually work in Phoenix and Firestorm, I have always left this set at the default function.

Also, I don't know how well this would work against the function in question here.

I'm not particularly up to the job of playing guinea pig here.

I do wonder if you knew who the controller was, if muting that individual would stop the action?

The only way to know this for sure is to test it and see.  Interesting idea here, Perrie.  I'll conduct this test, changing the revoke permissions in Phoenix and then having him mute me to see if that stops the bands ability to control his avatar, when I get inworld in a short while.  I'll post the results here in another response. 

Share this post


Link to post
Share on other sites


Innula Zenovka wrote:

Ah.. if muting the owner works, that's rather less alarming, I guess, assuming you know who it is.   

Innula, I am inworld now but none of the people I have locked into my band are.  Once I can test these ideas, I'll report back here as soon as I can.

Share this post


Link to post
Share on other sites

I find this quite interesting. As me and a friend were exploiting this for fun way back in 07. I'm quite surprised it still has not been fixed.

But, to clear it up. No, there is no way to revoke the permissions, and they will be kept till the end of time.

Take the object with permissions into inventory. now it's in there, with permissions whenever you want to use it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...