Page MenuHomeFeedback Tracker

Debug Console Security Changes
New, NormalPublic

Description

'Tweaked: Security of the debug console was improved'

This was a change in the latest Arma 3 Update (1.70) change log. Prior to this update I used 'createDialog "RscDisplayDebugPublic"' in an admin menu to give admins access to the debug console. This was convenient as I could use it as a way for multiple players to open and use the debug console rather than having it limited with the pause/escape menu debug console only allowing it to be used by a logged in admin. With this latest update, I can no longer use the debug console in the above way. After looking into the code behind the debug console I can see it now uses a 'isDebugConsoleAllowed' which checks if the player is an admin, the value is set for all users in the description.ext or if the session is in singleplayer. This is an issue for me, and I'm sure many other servers which use a method similar to mine. Admins on my server who have been given access to this debug console through createDialog can no longer access it. Instead, they need to be logged in as an admin, which is a problem because there can only be 1 admin logged in at a time.

I really hope there is a way around this or that it can be changed somehow because this is really annoying and I really need to be able to do this.

Details

Severity
Major
Resolution
Open
Reproducibility
Always
Operating System
Windows 10 x64
Category
Scripting
Steps To Reproduce

Run a mission on a multiplayer server with the enableDebugConsole option in the mission's description.ext set as either 0 or 1. Then, run 'createDialog "RscDisplayDebugPublic"' while you're not logged in as an admin and you will not be able to access the whole debug console.

Event Timeline

ShadowRanger changed Category from Menu UI to Scripting.May 17 2017, 2:18 PM

There was security flaw in debug console that allowed to launch it without any permission with relatively short code. This has now been removed. Leaving this flaw would have been far worse for everyone running public servers than a little inconvenience for a few people that exploited this flaw for own benefit.

A custom admin panel would probably be better solution in the long run.

Gnashes added a subscriber: Gnashes.EditedMay 17 2017, 10:51 PM

If BI ever decided to explore a method for "multiple admins having access to debug", a compromise for security could be done via some method similar to the following:

enableDebugConsole = 3; // available to all admins identified in server.cfg admins[]

This would essentially allow server owners to either allow only logged in admins to access debug and many admins use the #login command(eDC=1), or to allow access to the debug console for all whitelisted admins who may also login with the #login command(eDC=3).

A thought, at any rate.

Gnashes has a good idea please fix this or implement a workaround for us so we are able to have more than one admin with the access to the console. Please do not ignore this BI thank you.

If BI ever decided to explore a method for "multiple admins having access to debug", a compromise for security could be done via some method similar to the following:

enableDebugConsole = 4; // available to all admins identified in server.cfg admins[]

This would essentially allow server owners to either allow only logged in admins to access debug and many admins use the #login command(eDC=1), or to allow access to the debug console for all whitelisted admins who may also login with the #login command(eDC=4).

A thought, at any rate.

+1

I think the idea suggested by @Gnashes would be a very good solution to this issue. This would allow for more than 1 admin to access the debug console at a time, and I doubt it would pose any security issues as well.

From today, enableDebugConsole description.ext param can be array containing UIDs of whitelisted users. It will also act as enableDebugConsole = 1

For example

enableDebugConsole[]={"1234567890"};

Will make debug console usable for user with uid 1234567890 as well as for server host and logged in admin on dedicated.

Jigsor added a subscriber: Jigsor.May 25 2017, 10:23 PM

I agree that Gnashes solution would be best. I do not want to publicly release all my admin's UIDs by including them in description.ext which is downloaded by anyone joining our server.

Unfortunately Gnashes solution will require quite significant engine changes and cannot be done with just scripting and config.

@BIS_fnc_KK changing the console already required significant change, didn't it? Given how a big share of arma community is based on clan-oriented servers, it needs to be a server config. Removal of admin console is not very far from way of thinking that "removal of multiplayer would fix the hacking problem" ;)

Unless... KK do you know if the change was made engine side, or function side? Can it be reverted with a mod?

dedmen added a subscriber: dedmen.EditedMay 26 2017, 10:43 AM

Looks scriptside to me:

<redacted for security reasons>
@BIS_fnc_KK you messed up https://feedback.bistudio.com/T125063

can we also review the ability to create a debug console with ctrlcreate

ctrlcreate ['rscdebugconsole',-1]

only seen it used for malicious purposes

Looks scriptside to me:

<redacted for security reasons>
@BIS_fnc_KK you messed up https://feedback.bistudio.com/T125063

Not really.

@demicanadian No one removed debug console, you probably misunderstood the whole ticket.

@MDCCLXXVI I can create non-functional console the way you suggested

I know that logged in admin sees debug console. But people with admin addon (signed by server's admin, with built in UID check to only allow specific people to use it) no longer do.

I know that logged in admin sees debug console. But people with admin addon (signed by server's admin, with built in UID check to only allow specific people to use it) no longer do.

This will still be possible, sort of. Will go in more details a bit later on.

In 1.72 enableDebugConsole param could be defined in root of a mod. If no mission param is defined, this one will be used. Default is 0

dedmen added a comment.EditedJun 22 2017, 3:07 PM

@BIS_fnc_KK If no mission param is defined Nope again. https://feedback.bistudio.com/T125778

Also if you have to use a signed PBO anyway. You can just overwrite the Console UI config and remove the isDebugConsoleAllowed check.
Or overwrite isDebugConsoleAllowed in CfgFunctions

This change caused an additional problem. I can no longer see debug console while in editor through editor menu options Tools\Debug Console. enableDebugConsole not existing in description.ext so its not over riding there... no mods loaded. screen shots -
http://i.imgur.com/1ySXEP5.jpg
http://i.imgur.com/1owrYOP.jpg
This behavior of only being able to see the Cancel button is what it looks like in mission on dedi if not loged as admin and initiated by admin tool mod since you removed access for non loged in admins. It has to be related

BIS_fnc_KK added a comment.EditedJun 27 2017, 12:14 AM

This change caused an additional problem. I can no longer see debug console while in editor through editor menu options Tools\Debug Console. enableDebugConsole not existing in description.ext so its not over riding there... no mods loaded. screen shots -
http://i.imgur.com/1ySXEP5.jpg
http://i.imgur.com/1owrYOP.jpg
This behavior of only being able to see the Cancel button is what it looks like in mission on dedi if not loged as admin and initiated by admin tool mod since you removed access for non loged in admins. It has to be related

I cannot repro this. Editor console is available in SP regardless of the description or editor attribute so there is no reason it would do that unless somehow something else is modified or horribly broken. BTW it looks like you are running some mod even though you say you are not, that icon next to PC in the bottom right corner of the editor should be greyed out if no unofficial mods are launched.

Nope again

That is being looked at, thanks

OK, so debug console is working in sp editor but, why is the console ui incomplete in mp editor. It used to work in mp editor.
Why does mp editor indicate running mods when in the same instance without restart sp editor indicates no mods (icon grayed out).
http://i.imgur.com/4wEXTu5.jpg
http://i.imgur.com/9QTMWzI.jpg

BTW -filePatching is not enabled if that makes any difference.

Further to clarify which editor I am talking about. SP editor/main menu editor button. MP editor - from main menu click host server button on top then host server button in the middle of screen then select existing editable mission then 3D editor button or select <<New - 3D Editor>> from mission selection list.

I was able to reproduce this, thanks.

Dystopian added a comment.EditedJul 9 2017, 2:42 AM

Recent changes in dev branch (1.73.142299) don't allow use addon version with this line in RPT:

ArmA3\adds\enable_debug_console\config.cpp.enableDebugConsole: Cannot update non array from array

It's because of useless enableDebugConsole = 0; in config. By default getNumber returns 0 even without it.

Recent changes in dev branch (1.73.142299) don't allow use addon version with this line in RPT:

ArmA3\adds\enable_debug_console\config.cpp.enableDebugConsole: Cannot update non array from array

It's because of useless enableDebugConsole = 0; in config. By default getNumber returns 0 even without it.

This seems to be indeed some recent change in exe. Thanks for reporting this

Also if I managed to set enableDebugConsole to array, I get

Warning Message: 'enableDebugConsole/' is not a value

on screen and in RPT on each console opening because of getNumber call on array value,

Also if I managed to set enableDebugConsole to array, I get

Warning Message: 'enableDebugConsole/' is not a value

on screen and in RPT on each console opening because of getNumber call on array value,

What do you mean by "managed". Are we still talking setting it in mod or in mission? Could you give repro?

mod one. I use 2 addons: one to delete value and one to set array. Repro: try to use getNumber on config with array value.

mod one. I use 2 addons: one to delete value and one to set array. Repro: try to use getNumber on config with array value.

Must have been another change that happened recenlty. Thanks for reporting this, I managed to repro.

Please check today's dev. All of the reported issues here should be fixed.