Re: security risk about eggdrop

To: Joey Hess <joeyh@debian.org>
Cc: Tamas TEVESZ <ice@extreme.hu>, Juergen Nagler <Juergen.Nagler@student.uni-ulm.de>, debian-isp@lists.debian.org, joey@kitenet.net
Subject: Re: security risk about eggdrop
From: hypnos <hypnos@m-net.arbornet.org>
Date: Tue, 4 Jan 2000 06:25:42 +0000 (GMT)
Message-id: <[🔎] Pine.LNX.4.10.10001040622340.21301-100000@lemnos.nailed.org>
In-reply-to: <[🔎] 19991223220412.A787@paper.kitenet.net>

On Thu, 23 Dec 1999, Joey Hess wrote:

> > if you would, be sure to put it in a chrooted environment.
> > (most eggdrops are poorly configured, ppl w/ rights +mn have access to
> > .tcl commands, which means .tcl exec
> > eggdrop/filesystem/incoming/myexploit)
> 
> Yuck. Debian actually has an eggdrop package -- how does it stack up; is it
> vunerable to this?

that's part of the eggdrop code, you'd have to
modify the code to take out the ability to
run .tcl's.  it's no less secure than giving a user
a shell.  i'm sure the eggdrop isn't running as
root, so it's not like it can copy your /etc/shadow
or anything.  but the tcl scripts will be run as
the user running eggdrop, so it'd be just like a
local user.

------------------------------------------------------
hypnos              <mailto:hypnos@m-net.arbornet.org>

Reply to:

Follow-Ups:
- Re: security risk about eggdrop
  - From: "Matus \"fantomas\" Uhlar" <uhlar@work.fantomas.sk>

References:
- Re: security risk about eggdrop
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: POP3 daemon selection
Next by Date: Re: POP3 daemon selection
Previous by thread: Re: security risk about eggdrop
Next by thread: Re: security risk about eggdrop
Index(es):
- Date
- Thread