View Issue Details

IDProjectCategoryView StatusLast Update
0006303unrealdocumentationpublic2023-07-15 19:04
Reporterrafaelgrether Assigned Tosyzop  
Status resolvedResolutionfixed 
Product Version6.1.1.1 
Fixed in Version6.1.2-rc1 
Summary0006303: Minimum security level for oper password
DescriptionHi guys,

I know that despite the recommended security measures (, they are rarely applied by system administrators.
Most (bad) system administrators keep UnrealRCd with drwxr-xr-x permissions.

Recently, one IRC network had their web server hacked (remote file inclusion vulnerability), and this attacker (probably using www-data credentials) had read access to unrealircd.conf and got oper password.

We know that best practice would be to never use a plain/text password, is very clear about this.
But we also know that most IRC installs just follow example.conf, but they don't read the full documentation on the site.

Despite being a sysadmin flaw, I think if there's a way to mitigate this, that would be great.

So, I suggest you to change example.conf and add instructions to generate oper password using "./unrealircd mkpasswd"
This is a minimum security level desired.
And then, if the sysadmin reads the full documentation on the site and wants to improve security by adding certfp or spkifp, great! But leaving the plain/text password, I believe it is a great measure.

Something like this:

What do you think?

TagsNo tags attached.
3rd party modules



2023-07-13 17:02

reporter   ~0022951

That's a good idea, totally recommended! +1


2023-07-13 18:01

administrator   ~0022952

Good idea to refer more to this from the config file indeed.

Just a side note regarding file permissions: UnrealIRCd will always (try to) chmod every config file to rw-------, so it is unlikely that the file permissions of the actual conf files were wrong and could be read by other users.
Maybe the ircd and the web(script) were running as the same user? We see that occasionally, where someone uses something that is actually meant for the web (php scripts and the like) for running the ircd also. Usually quite visibly by the way, with ircd paths being in /opt/www/ or the like.
The old security guide had a warning about using a separate user for running unrealircd, and also a warning that if you run other services on the box they were far more likely to be exploited (hacked) than exploiting an issue in the ircd itself. Due to a rewrite of the guide it was removed though, i didn't want to make it too long and was not sure if i should say such general things. I'm also not sure if the people who actually do that kind of things would read and act on those tips in the first place. Still may be worth putting it back...


2023-07-13 19:12

reporter   ~0022953

Thanks syzop, I really don't know exactly what happened to this network, but really, it could be that the webserver/php (with setuid or cgi scripts) was running under the same user as UnrealIRCd.

Even so, refering more to this from the config file I think it's a good measure.
plain/text password is a terrible idea.

So, I suggested to refer this in config file too, for sysadmins who don't read the site's documentation, they won't have problems of this type.

About site docs, my opinion is that the more complete the site docs, the better.
I think that these days security should be taken much more seriously than before (compliance, GDPR, etc..)


2023-07-13 19:46

administrator   ~0022955

Understood, I have now updated the text in the security article.

For what it's worth, this was the old text coming from UnrealIRCd 3.2.x times:
"There's a far bigger chance a box will get hacked by a non-irc(d) vulnerability than by some bug in UnrealIRCd. If you for example run http, dns, smtp and ftp servers on the same box you have a much higher risk. Also, if you are on a multi-user box (eg: you bought a shell) there's the risk of local exploits and bad permissions (see next). This risk is quite high so be careful when selecting a shell provider."

Of course that is quite out of date now, with shell providers not being much of a thing anymore.

So the new text at is now:
"Use dedicated account, and if possible, machine
Run UnrealIRCd under it's own account, don't share the account with anything else. Services too, run that on a different account.

If you run other daemons on the machine, like a webserver, mail server, etc. then you increase the attack surface a lot. The machine is at far bigger risk to get hacked by one of those other services than through the IRC server. Ideally you would run only the IRC server (and perhaps Services) on the machine, and not anything else. With cheap VM plans of nowadays that is quite doable too! "


2023-07-13 20:25

reporter   ~0022956

Yes, much better.

About changing example.conf, do you think it's worth it? Just +2 ou +3 lines in example.conf
I'm thinking sysadmins who don't read the full site documentation, and just consider what is written in example.conf. They don't know that they can generate the password in hashed form.

If the oper password was leak from the .conf file, it can cause serious trouble.


2023-07-15 09:05

administrator   ~0022957

Thanks for the suggestion(s). Done!

commit b3995f48ffe765eb64533901e0d09235f945c8a2 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <[email protected]>
Date: Sat Jul 15 08:58:57 2023 +0200

    Mention password hashing in the example.conf itself.
    Suggested by rafaelgrether in


2023-07-15 19:04

administrator   ~0022958

I also did this:

commit cdc14569a9d1c2f46b98b56ea93759ac5a0ed117 (HEAD -> unreal60_dev, origin/unreal60_dev, origin/HEAD)
Author: Bram Matthys <[email protected]>
Date: Sat Jul 15 18:48:27 2023 +0200

    Warn on plaintext oper::password in conf and even go as far as
    generating the password hashes and suggesting using those.
    This also starts the initial work on set::best-practices
    with hashed-passwords as the first setting there.

Issue History

Date Modified Username Field Change
2023-07-13 16:58 rafaelgrether New Issue
2023-07-13 17:02 westor Note Added: 0022951
2023-07-13 18:01 syzop Note Added: 0022952
2023-07-13 19:12 rafaelgrether Note Added: 0022953
2023-07-13 19:46 syzop Note Added: 0022955
2023-07-13 20:25 rafaelgrether Note Added: 0022956
2023-07-15 09:05 syzop Assigned To => syzop
2023-07-15 09:05 syzop Status new => resolved
2023-07-15 09:05 syzop Resolution open => fixed
2023-07-15 09:05 syzop Fixed in Version => 6.1.2-rc1
2023-07-15 09:05 syzop Note Added: 0022957
2023-07-15 09:05 syzop Category upgrade-conf => documentation
2023-07-15 19:04 syzop Note Added: 0022958