We have moved at community.getvera.com

Author Topic: Restricting some Lua commands to vera only?  (Read 5501 times)

Offline Gabriel

  • Sr. Newbie
  • *
  • Posts: 49
  • Karma: +3/-0
Restricting some Lua commands to vera only?
« on: May 11, 2017, 07:32:00 am »

I think that it's quite interesting to be able to use the Vera units through UPnP. I also like the ability to run LUA commands in scenes or scripts.

I however have mixed feelings about some combinations of those two elements, especially the fact that on an already compromised network, an attacker could do whatever he wants with the Vera, including possibly set it as a "host" for a latter intrusion.

Ok, this requires a compromised network, but I unfortunately think that a network compromised at some point might perhaps not be that seldom (Mirai-like using an unsecure device on your LAN, having foolishly shared your wi-fi connection with a visiting family member while you don't know if his device is compromised,...)

I was thus wondering if there would be a possibility to restrict some lua commands to only be run when called locally (I'm thinking about os.execute, but there might also be other "interesting" ones).

Would it be, as an example, possible to restrict os.execute to only be allowed from the luup engine, but not bind it through the UPnP commands?
Or better, enable it through UPnP actions only if the client is the vera? (so that it would work from a script running on vera using UPnP action, but would not be allowed if this UPnP action is invoked from outside of the vera)

Any thought about this from the MCV/Vera people?