> What steps will reproduce the problem?
#if defined(HAVE_GETPWUID) && defined(HAVE_GETUID) being true when you compile.
> What is the expected output? What do you see instead?
Would not expect it to reveal the local system username when another irc user
performs a whois.
> What version of naim are you using? On what operating system?
> % naim --version
naim 0.11.8.3.2
> Please provide any additional information below.
This is not really a bug, but more of a preference. While username is not
normally privileged information, it could be considered pseudo-privileged in
some situations. Attackers could use it to brute force ssh passwords to gain
access to the user's local machine, or the identify of the user could be
compromised through the username even when the user is utilizing an anonymizing
service (e.g. a proxy, or tor).
I've been a naim user for years, and this has always bugged me because I don't
always remember to disable it when compiling for a new system, and I do
occasionally see bruteforce SSH pop up in snort when connecting to IRC that
used my username. I have changed my ssh port, switched to ssh keys, and changed
my username for remote connections, but I don't think the average user will
know/can be expected to do that.
I do not think using the local system username should be the default behavior -
to fix it you can add a #undef HAVE_GETUID or the other variable in
libfiretalk/irc.c.
Another solution would be to make it configurable at runtime (e.g., /setuid
<blah> or via .naimprofile). It could also be a switch on the config/compile,
or just a note in the README.
Original issue reported on code.google.com by rick.car...@gmail.com on 27 May 2011 at 3:32
Original issue reported on code.google.com by
rick.car...@gmail.comon 27 May 2011 at 3:32