Re: security risk about eggdrop
On Thu, 23 Dec 1999, Joey Hess wrote:
> > if you would, be sure to put it in a chrooted environment.
> > (most eggdrops are poorly configured, ppl w/ rights +mn have access to
> > .tcl commands, which means .tcl exec
> > eggdrop/filesystem/incoming/myexploit)
>
> Yuck. Debian actually has an eggdrop package -- how does it stack up; is it
> vunerable to this?
that's part of the eggdrop code, you'd have to
modify the code to take out the ability to
run .tcl's. it's no less secure than giving a user
a shell. i'm sure the eggdrop isn't running as
root, so it's not like it can copy your /etc/shadow
or anything. but the tcl scripts will be run as
the user running eggdrop, so it'd be just like a
local user.
------------------------------------------------------
hypnos <mailto:hypnos@m-net.arbornet.org>
Reply to: