[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security risk about eggdrop



-> > > if you would, be sure to put it in a chrooted environment.
-> > > (most eggdrops are poorly configured, ppl w/ rights +mn have access to
-> > > .tcl commands, which means .tcl exec
-> > > eggdrop/filesystem/incoming/myexploit)
-> > 
-> > Yuck. Debian actually has an eggdrop package -- how does it stack up; is it
-> > vunerable to this?
-> 
-> that's part of the eggdrop code, you'd have to
-> modify the code to take out the ability to
-> run .tcl's.  it's no less secure than giving a user
-> a shell.  i'm sure the eggdrop isn't running as
-> root, so it's not like it can copy your /etc/shadow
-> or anything.  but the tcl scripts will be run as
-> the user running eggdrop, so it'd be just like a
-> local user.

newest versions of eggdrop won't work without tcl. you can still disable
.tcl command which is secure enough then, and you have not to set up
filesystem for someone to be allowed to put up scripts on it remotely.
that's enough
-- 
 Matus "fantomas" Uhlar, sysadmin at NEXTRA, Slovakia; IRCNET admin of *.sk
 uhlar@fantomas.sk ; http://www.fantomas.sk/ ; http://www.nextra.sk/
 Christian Science Programming: "Let God Debug It!".


Reply to: