Subj : Re: Really in need of help...
To   : niter3
From : Ganiman
Date : Tue Dec 06 2022 01:32 pm

 ni> What's the issue running it under sudo

If your BBS gets compromised, then that person has root access to your system and whatever else that might mean for your environment. It is generally bad practice to run any services as root, especially untrusted ones like Mystic - I would not say Mystic is "trusted" by any means. It does not seem to support modern crypto ciphers: try ssh'ing to any Mystic BBS with a "normal" client, like `ssh` from a linux command line, and by default you will get an error about weak ciphers, to which you need to either update your ssh_config or explicitly use the weak cipher in your command string - TLS with SMTP also seems to have similar cipher issues. Mystic, to my knowledge anyway, is not pen tested, it is not open source to allow for peer reviewing, it does not get frequent updates, etc. That is not a dig at the g00r00 or anyone who contributes to it, and advanced security shouldn't be the job of Mystic anyway. On top of that and other things, most of us are all using TELNET which is the most *unsecure* thing you can do on the Internet. No, you should not be running Mystic or most other things with root privilges.

There *are* generally safe ways to run untrusted software like Mystic and there are ways to use to ports 22 and 23 *without* giving Mystic root access (simple firewall rules to forward each of them to ports above 1024 are easy enough to write and search for).

We live in a "zero trust" world today.

---
Ganiman
bbs.madetoraid.com:[2323/2222]

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
 * Origin: Made to Raid BBS (21:3/174)

.