nmlorg / naim

naim is a console client for AOL Instant Messenger (AIM), AOL I Seek You (ICQ), Internet Relay Chat (IRC), and The lily CMC.
http://naim.n.ml.org/
1 stars 0 forks source link

having getuid and getpwuid make irc reveal the local system username #37

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
> What steps will reproduce the problem?

#if defined(HAVE_GETPWUID) && defined(HAVE_GETUID) being true when you compile.

> What is the expected output? What do you see instead?

Would not expect it to reveal the local system username when another irc user 
performs a whois.

> What version of naim are you using? On what operating system?
> % naim --version

naim 0.11.8.3.2

> Please provide any additional information below.

This is not really a bug, but more of a preference. While username is not 
normally privileged information, it could be considered pseudo-privileged in 
some situations. Attackers could use it to brute force ssh passwords to gain 
access to the user's local machine, or the identify of the user could be 
compromised through the username even when the user is utilizing an anonymizing 
service (e.g. a proxy, or tor).

I've been a naim user for years, and this has always bugged me because I don't 
always remember to disable it when compiling for a new system, and I do 
occasionally see bruteforce SSH pop up in snort when connecting to IRC that 
used my username. I have changed my ssh port, switched to ssh keys, and changed 
my username for remote connections, but I don't think the average user will 
know/can be expected to do that. 

I do not think using the local system username should be the default behavior - 
to fix it you can add a #undef HAVE_GETUID or the other variable in 
libfiretalk/irc.c. 

Another solution would be to make it configurable at runtime (e.g., /setuid 
<blah> or via .naimprofile). It could also be a switch on the config/compile, 
or just a note in the README.

Original issue reported on code.google.com by rick.car...@gmail.com on 27 May 2011 at 3:32