View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006303 | unreal | documentation | public | 2023-07-13 16:58 | 2023-07-15 19:04 |
| Reporter | rafaelgrether | Assigned To | syzop | ||
| Priority | low | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.1.1.1 | ||||
| Fixed in Version | 6.1.2-rc1 | ||||
| Summary | 0006303: Minimum security level for oper password | ||||
| Description | Hi guys, I know that despite the recommended security measures (https://www.unrealircd.org/docs/Security), they are rarely applied by system administrators. Most (bad) system administrators keep UnrealRCd with drwxr-xr-x permissions. Recently, one IRC network had their web server hacked (remote file inclusion vulnerability), and this attacker (probably using www-data credentials) had read access to unrealircd.conf and got oper password. We know that best practice would be to never use a plain/text password, https://www.unrealircd.org/docs/Authentication_types is very clear about this. But we also know that most IRC installs just follow example.conf, but they don't read the full documentation on the site. Despite being a sysadmin flaw, I think if there's a way to mitigate this, that would be great. So, I suggest you to change example.conf and add instructions to generate oper password using "./unrealircd mkpasswd" This is a minimum security level desired. And then, if the sysadmin reads the full documentation on the site and wants to improve security by adding certfp or spkifp, great! But leaving the plain/text password, I believe it is a great measure. Something like this: https://github.com/devnull-hub-lab/unrealircd/commit/b779908a1430dece9cd12933d4116aa0bd01a0a6 What do you think? Thanks | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
That's a good idea, totally recommended! +1 |
|
|
Good idea to refer more to this from the config file indeed. Just a side note regarding file permissions: UnrealIRCd will always (try to) chmod every config file to rw-------, so it is unlikely that the file permissions of the actual conf files were wrong and could be read by other users. Maybe the ircd and the web(script) were running as the same user? We see that occasionally, where someone uses something that is actually meant for the web (php scripts and the like) for running the ircd also. Usually quite visibly by the way, with ircd paths being in /opt/www/ or the like. The old security guide had a warning about using a separate user for running unrealircd, and also a warning that if you run other services on the box they were far more likely to be exploited (hacked) than exploiting an issue in the ircd itself. Due to a rewrite of the guide it was removed though, i didn't want to make it too long and was not sure if i should say such general things. I'm also not sure if the people who actually do that kind of things would read and act on those tips in the first place. Still may be worth putting it back... |
|
|
Thanks syzop, I really don't know exactly what happened to this network, but really, it could be that the webserver/php (with setuid or cgi scripts) was running under the same user as UnrealIRCd. Even so, refering more to this from the config file I think it's a good measure. plain/text password is a terrible idea. So, I suggested to refer this in config file too, for sysadmins who don't read the site's documentation, they won't have problems of this type. About site docs, my opinion is that the more complete the site docs, the better. I think that these days security should be taken much more seriously than before (compliance, GDPR, etc..) |
|
|
Understood, I have now updated the text in the security article. For what it's worth, this was the old text coming from UnrealIRCd 3.2.x times: "There's a far bigger chance a box will get hacked by a non-irc(d) vulnerability than by some bug in UnrealIRCd. If you for example run http, dns, smtp and ftp servers on the same box you have a much higher risk. Also, if you are on a multi-user box (eg: you bought a shell) there's the risk of local exploits and bad permissions (see next). This risk is quite high so be careful when selecting a shell provider." Of course that is quite out of date now, with shell providers not being much of a thing anymore. So the new text at https://www.unrealircd.org/docs/Security#Use_dedicated_account.2C_and_if_possible.2C_machine is now: "Use dedicated account, and if possible, machine Run UnrealIRCd under it's own account, don't share the account with anything else. Services too, run that on a different account. If you run other daemons on the machine, like a webserver, mail server, etc. then you increase the attack surface a lot. The machine is at far bigger risk to get hacked by one of those other services than through the IRC server. Ideally you would run only the IRC server (and perhaps Services) on the machine, and not anything else. With cheap VM plans of nowadays that is quite doable too! " |
|
|
Yes, much better. About changing example.conf, do you think it's worth it? Just +2 ou +3 lines in example.conf I'm thinking sysadmins who don't read the full site documentation, and just consider what is written in example.conf. They don't know that they can generate the password in hashed form. If the oper password was leak from the .conf file, it can cause serious trouble. |
|
|
Thanks for the suggestion(s). Done! https://github.com/unrealircd/unrealircd/commit/b3995f48ffe765eb64533901e0d09235f945c8a2 commit b3995f48ffe765eb64533901e0d09235f945c8a2 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sat Jul 15 08:58:57 2023 +0200 Mention password hashing in the example.conf itself. Suggested by rafaelgrether in https://bugs.unrealircd.org/view.php?id=6303 |
|
|
I also did this: https://github.com/unrealircd/unrealircd/commit/cdc14569a9d1c2f46b98b56ea93759ac5a0ed117 commit cdc14569a9d1c2f46b98b56ea93759ac5a0ed117 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD) Author: Bram Matthys <[email protected]> Date: Sat Jul 15 18:48:27 2023 +0200 Warn on plaintext oper::password in conf and even go as far as generating the password hashes and suggesting using those. This also starts the initial work on set::best-practices https://www.unrealircd.org/docs/Set_block#set::best-practices with hashed-passwords as the first setting there. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-07-13 16:58 | rafaelgrether | New Issue | |
| 2023-07-13 17:02 | westor | Note Added: 0022951 | |
| 2023-07-13 18:01 | syzop | Note Added: 0022952 | |
| 2023-07-13 19:12 | rafaelgrether | Note Added: 0022953 | |
| 2023-07-13 19:46 | syzop | Note Added: 0022955 | |
| 2023-07-13 20:25 | rafaelgrether | Note Added: 0022956 | |
| 2023-07-15 09:05 | syzop | Assigned To | => syzop |
| 2023-07-15 09:05 | syzop | Status | new => resolved |
| 2023-07-15 09:05 | syzop | Resolution | open => fixed |
| 2023-07-15 09:05 | syzop | Fixed in Version | => 6.1.2-rc1 |
| 2023-07-15 09:05 | syzop | Note Added: 0022957 | |
| 2023-07-15 09:05 | syzop | Category | upgrade-conf => documentation |
| 2023-07-15 19:04 | syzop | Note Added: 0022958 |
