Hi there,

Today I had an incident on my server, where some script kiddie who had at least one VAC/EAC ban on his account was able to use the /kit functionality to spawn in an admin kit; the /kit is only used for gearing up admins and NPC's on my server, and should basically not be available at all for normal players. 

I wonder what has went wrong and where? I double-checked that rights to i.e. kits.admin are revoked by default.

It seems that the Rust Kits plugin allows players to access it by default a bit too easily; at least according to oxide/data/Kits/kits_data.json and the default "AuthLevel".

Please advice.

Alright, I solved this one out; I had been just too tired when setting the kit permissions and had not input the auth level (perhaps a solution for this would be to make all kits created without user levels to be admin only, hence kits that players could get there hands on couldn't be accidentally created?) -- as we all know how eager people are to probe all sorts of vulnerabilities in Rust, having extra security in that one wouldn't hurt...

Haywired

Alright, I solved this one out; I had been just too tired when setting the kit permissions and had not input the auth level (perhaps a solution for this would be to make all kits created without user levels to be admin only, hence kits that players could get there hands on couldn't be accidentally created?) -- as we all know how eager people are to probe all sorts of vulnerabilities in Rust, having extra security in that one wouldn't hurt...

Setting up the permissions/auth level when creating the kit (or any kit) would solve any problems, why make it more inconvenient for other server owners when all it takes is a little care when creating a kit.

pookins

Setting up the permissions/auth level when creating the kit (or any kit) would solve any problems, why make it more inconvenient for other server owners when all it takes is a little care when creating a kit.

Alright, well, many plugins come with the safety first practice of disabling it from unauthed players by default -- you unlock things as you go, not the other way around. However there's no permissions granting flag in Kits for overall allowing the command to be used or not, and also the default flag for individual kits is set to 0 with no cooldown, I think it might be a good idea to show the number by default and have at least a cooldown by default.

Just my idea of a good practice since mistakes happen and well, since Rust is all about exploiting other people's mistakes or lacks, this often tends to show, I've noticed that practically any plug-in on a server that can be exploited in any beneficial way to throw the game's balance off, WILL be exploited, so it'd all about starting with that in mind. One unset flag and someone will probe their way through, even if the command and the kit is unlisted.

Haywired

Alright, well, many plugins come with the safety first practice of disabling it from unauthed players by default -- you unlock things as you go, not the other way around. However there's no permissions granting flag in Kits for overall allowing the command to be used or not, and also the default flag for individual kits is set to 0 with no cooldown, I think it might be a good idea to show the number by default and have at least a cooldown by default.

Just my idea of a good practice since mistakes happen and well, since Rust is all about exploiting other people's mistakes or lacks, this often tends to show, I've noticed that practically any plug-in on a server that can be exploited in any beneficial way to throw the game's balance off, WILL be exploited, so it'd all about starting with that in mind. One unset flag and someone will probe their way through, even if the command and the kit is unlisted.

Bearing that in mind , The server owner is the one setting up the conditions for each kit not the plugin, There is no prexisting condition for any kit, There are options for you to set and it is a simple matter to choose auth level 2 for any kit when you are creating it in case you make any mistakes, and of course checking it before saving it, I only have approx 50 kits (so far) and have never had any player "crack" the permission for any kit or grant themselves the auth level for Admin kits.