Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

From: Darren Reed <avalon () caligula anu edu au>
Date: Thu, 5 Jun 2003 13:50:52 +1000 (Australia/ACT)
In some mail from Michael Osten, sie said:



The reason why IRC servers "IRCD.config" files don't use encryption (see
file attachment for example) is because 49 times out of 50 they do not

come

with a GUI program.  Administrators main method of changing the
configuration is to manually edit the file using a notepad utility.


It has nothing to do with having a GUI or not.  You obviously have no
concept of Unix permissions, so using a unix analogy should be avoided in
the future.  The config file that you speak of would be set to only be
readable and/or writable the user running the daemon.  Even the existance of
that password in the config file woud lend it self a bad design as every
application in (linux at least) can have hooks to PAM and use the same
encrypted password.  If the password *was* in the config file, to read this
file, you would need that users priviledges, or priviledges greater than
that user.  If you have either, crypting the password would be a bit
pointless (not to say that people don't do it).


You're fogetting that this IRC server application is being developed
for Windows where people are still mostly unfamiliar with advanced
file permission concepts beyond "read-only/archive" bits.

NTFS (NT4, W2K, XP, ...) supports file ownership by users as well as
read/write/execute "bits".  This is something that many *nix advocates
are blissuflly unaware of.  It's also not often used properly.

Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: