Monday, 19 August 2013

PermissionsEx: Anti-griefing methods for Minecraft

More Grief

If you've already installed and configured Grey Lists using PermissionsEx (as described in my earlier post) then you are well aware of the protection this provides against those pesky griefers. Yeah I know you can white-list your server but this helps you want to showcase your work without risk.

My son can be a little too trusting, and far too keen to attract new builders, and it always seems to be when we have friends of friends connected that trouble starts brewing. A few days ago the inevitable happened, a school pal and his friend paired up for an orgy of TNT abuse, dropping as many buildings as they could in full view of the regular builders. The server was downed soon as he figured out what was happening and the permissions.yml file altered to remove the offenders building rights, but ultimately damage had been done. One of the longest standing buildings was hit so hard that it was reduced to a crater, all in about a minutes chaos!

PermissionsEx Revisited

All the griefing we've experienced so far has been the result of fire or TNT, with the latter obliterating buildings well beyond repair. It made sense after this attack to limit their use, removing them from the standard 'builder' groups rights, but after well over an hour of altering permissions and testing we had only managed to remove the rights to place TNT. It's really a case of trying different modifyworld  restriction in the permissions.yml file until you get a result.

The first thing to be aware of is the order of the permission lines is important. The file is scanned top to bottom and as soon as a match is found it stops. This means restrictions must go before grants using wildcards or they'll never be reached.

      prefix: '&0(&8Builder&0)&7 '
      - -modifyworld.bucket.empty.10
      - -modifyworld.bucket.fill.10
      - -modifyworld.items.pickup.259
      - -modifyworld.items.craft.259
      - -modifyworld.items.use.259.on.block.*
      - -modifyworld.items.use.259
      - modifyworld.*
          rank: '900'

nb. Our restrictions go before modifyworld.* and use the '-' minus symbol to differentiate them from grants. The objects are listed by item/block id (46 = tnt, 10 = lava, 259 = flint and steel)

Now when TNT (46) is placed by a builder the block gets picked straight back up again, similarly the restrictions on flint and steel (259) don't allow you to pick it up or use it. The lava bucket (327) lines need to restrict filling and emptying of a liquid, in this case lava.

You will also need to enable some options in the modifyworld.yml before this works.

item-restrictions: true
use-material-names: false
drop-restricted-item: true
item-use-check: true

I set use-material-names to false so that I could use item and block numbers, but you can leave this set to 'true' and use proper names. Then your restriction would read as per the example below:-


Don't mix the two up or your permissions won't work. Also be aware that the plugins are very sensitive to formatting errors, so check your server log after changing and if necessary run your config through a YAML file validator.

In the mean time I'll work on the fire problem & if anyone has any suggestions then please comment.


  1. This is a good inline parser to check your YML

    You should be using a Backup Plugin that way if something does go horribly wrong you just restore the world file.
    I won't go in to the advantages you already know them :)

    What "fire problem" btw?

    Also consider this:

  2. I use the startup script that mojang recommend which includes a backup option. I found that if you you get the capitalisation on the world name wrong the level still loads but the backup doesn't work. (I'll let you fill the rest in!)

    We also find that daily backups aren't often enough, but I don't want to backup every hour. Saul now knows how to trigger them manually so we should have better protection for future attacks.

    I'd seen a few posts regarding worldguard, I'll look into it. Saul just added DynMap on his own the other day so it's good to have him knowing some unix. Kids grow up with point and click so it's not been easy to get him to embrace the keyboard and terminal. I don't think he'll ever be a developer but I'm pretty keen that all my kids should learnt at least the basics on a proper OS.

    So he now has minecraft running, a terminal window showing the server console and a browser showing the dynmap overview.

  3. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! Minecraft Servers List