On my server anyone can enable and disable punkbuster, whats worse, I've confirmed I can do it on others, and update their punkbuster etc..

This I consider a huge security flaw, is there any way to diable local access without administrator priviliges.

I have set rcon password and pb_sv_httpkey (not that that matters) but the darn thing is fully accessible.

Did I miss something?

Did you rent a server or is this a server you are running from your house?

And what do you mean about disabling "local access"? Are there multiple servers running on the same machine or something, with multiple CoD admins accessing the box?

OK..

I may not have come across well.

1st of all, its a linux server that I have installed at a data centre running RH and COD. not that that should have any bearing on this...

I can go to "a" server, enable punkbuster, /pb_sv_enable

I can then update the server /pb_sv_update

This I can do at whatever server I want..

WHY?

What can be done so that when people are on the server (I call that locally) to stop them from touching punkbuster?

It should be ONLY if YOU HAVE RCON password THAT YOU CAN DISABLE and ENABLE and fark around with PUNKBUSTER.

TRY THIS...

go to a server and type pb_sv_update and watch!

Can someone answer that?

I see for AA for example it shows that you must have admin to start stop or whatever with punkbuster, but for COD any moron can do it.

I wonder if one can kickban someone from the server using punkbuster.. .eh.. now that would be soo stupid..

Dude, who cares. Just join and play.

If you disable pb while in the server, pb is still on untill you leave. I am not sure you can do that while in the game. It takes place after you leave the game for the next one.

And the onnly pb you can update is your own.

I am not sure who gave you the info that you can just walk into any server and update the server's punkbuster becasue it is impossible without the rcon and also the command is

\rcon pb_sv_update

OK..

I can go to "a" server, enable punkbuster, /pb_sv_enable


that would enable pb on your client just like going into multiplayer options and turning it on or off you are not changing it on the server unless you type /rcon pb_sv_enable

I can then update the server /pb_sv_update

This I can do at whatever server I want..

WHY?


same as above you are updating the pb files of your client not the server to update the server it would be /rcon pb_sv_update

so the fact is not anyone can join any server and turn it on or off

Yeah, it sounds like you're only affecting your local machine not the server as nolimsystem suggested.

But according to the documentation, the commands for a client start with PB_CL_ not PB_SV_:

The alternative method of Enabling and Disabling PunkBuster (on the CLIENT machine) involves typing commands into the game console. To Enable PunkBuster from the console, type in "PB_CL_ENABLE" without the quotes. To Disable PunkBuster, type "PB_CL_DISABLE". If you wish to run your own game server, you can Enable/Disable the corresponding PunkBuster Server software using similar commands: "PB_SV_ENABLE" and "PB_SV_DISABLE".

That came from: http://www.evenbalance.com/publications/cod-pl/index.htm

I'm wondering if the client still recognizes those commands anyway and acts on them despite the difference.

Anyway, what Clanwarz said above is true: You have to know the rcon password and use the enable/disable commands using /rcon remotely.

Indeed. The guy's missing the point about rcon.

Unless he precedes the commands with /rcon he's only issuing them to the PB server on his own PC, not the actual game server he's playing on.

Unless he knows the rconpassword for that server and is logged in he'll simply get "Bad rconpassword".