Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: Some (critical) thoughts of MysqlDB/cmd interface...  (Read 5006 times)

0 Members and 1 Guest are viewing this topic.

someone

  • Anope User
  • Offline Offline
  • Gender: Male
  • Posts: 42
    • http://www.somenet.org
Some (critical) thoughts of MysqlDB/cmd interface...
« on: June 20, 2010, 12:40:00 PM »

its owned by oracle now - noone can really predict what they want to do with it. Many ppl are switching to the much better postgre.
</random mysql rant>

The big question is, if you really need/want mysql and its new command interface.
As a new database is comming, ppl can finally edit the anope.db file if you really need to manually clean the db.
The positive aspects of mysql are imho: webstats, anope+xxx integration and the now obsolete but imho only valid argument for mysql: manually cleaning the DB.

What permissions do the commands have, if excecuted from the commands table - do we know? possibly roots?
The problem is, that imho this mysql stuff is being used by 0,50€ admins (guys that rent a shellserver somewhere and are now going to be owners of the next world's biggest irc network, getting all the girls, because owner of ubernet is great status), that do not think critically of what they use and how it works.
they just use it because its a "nice to have".

Now the integration of anope and "community-page" is impossible, as desyncs will happen. (eg. nick expire or /ns drop will not delete the community user)
if you do NOT want to be in their "community-page" you can (if they didnt remove ns_register) register via irc, again desyncing page and anope.

On the other hand, most of these free systems allow for sql injections, making it possible to insert commands into the command table, destroying or altering IRC.
Especially if such 0,50€ admin goes on power-trip glining random users.
One banned user could pretty much go on revenge-trip by f**ing his anope.
Not to mention to select plaintext passwords + users + emails via sql injection.

Also command interface responses?

IMHO its MUCH more secure and "live" to have an irc bot, doing all this stuff. If you can run anope, you can also run a bot.
Writing a bot that reads some named pipe/file(/db-table) and excecutes the commands, writing the result to another named pipe/file(/db-table) is more secure, as the bot doesnt need any more priviledges then any other normal user has AND it also gives you responses.

Also, you unless you can catch and write sql statements for all anope events, like reguser, regchan, dropuser, .... you cannot make anope sync with any other webpage - i actually dont even see the point in doing so - unless you want to cripple your irc and force your users into something they possibly dont want.
As for webstats, it actually doesnt even need non-live mysql stuff, if you make the bot doing the commands you want on demand, parsing the output and writing it to a file/table that can be used in a website. (imho ircd stats are anyway more interesting than service stats)

Imho a network's service bot - which most of the bigger networks have - is much more live and much more secure than using (current) mysql.
ALSO using anope's db format minimises the risks of using mysql: db-corruption and other ppl reading/changing your datadases, you dont know of: sql injection or your DB-Server's root admins.

The only con of a network's service bot is that 0,50€ admins wont be able to write their own one.

So considering the long term... why not move the command interface and the botserv to an anope default network bot(script)?
That can be used by 0,5€ admins if they fail to write their own stuff.
It would make stuff much easier, as a bot like eggdrop, can be easily extended for even more than anope stuff.
If they can run anope, they will surely be able to run a partially preconfigured eggdrop.
That would make it also easier to use pisg.
Also: a less errorprone anope core...

<off-topic>
what about an anope pisg fork, as pisg seems pretty dead to me? ;)
Logged

phrozen77

  • Anope User
  • Offline Offline
  • Posts: 1
Re: Some (critical) thoughts of MysqlDB/cmd interface...
« Reply #1 on: June 20, 2010, 02:52:53 PM »

I'm pretty sure someone will hunt down Oracle / the person responsible if they decide to fsck around with MySQL and/or their license, so i don't exactly expect that there will be significant changes of any kind.

Regarding SQL-injection take a look at that: http://www.greensql.net/
Logged

Charles Kingsley

  • Contributor
  • *
  • Offline Offline
  • Posts: 1405
Re: Some (critical) thoughts of MysqlDB/cmd interface...
« Reply #2 on: June 20, 2010, 02:58:54 PM »

Quote
its owned by oracle now - noone can really predict what they want to do with it. Many ppl are switching to the much better postgre.
</random mysql rant>

Won't be a problem so not worth worrying about.

At the very worst case scenario Monty has already released a drop in replacement in the form of MariaDB.


Logged
Pages: [1]   Go Up