Query-User for TokenList only?

[Harry.Fox]

Hello,

I'm using the Token-System to give my users access to certain chennels. This way users can get access while I'm not on. But I have to create the Tokens and then post it in our Forum. The users has to post which one they had used and when all Tokens are used I've to create new ones and so on.
To make it a little easier, i wrote a php-script, that connects to the query-port and reads out all Tokens for a special group and displays it. I will integrade this script in my forum-system to be shure that only my users has access to. The script works, but it is necessary to login to read the tokens. I used the "serveradmin" for testing, but this solution is bad in case of security.

Is it possible to create a query-accout that is able to read tokens only?

[Harry.Fox]

Hi again,

meanwhile I published my script here: http://forum.teamspeak.com/showthread.php?t=49750

In case of having recieved no answer here, I'm using the serverdamin-account in my script. But I'll feel much better having an account, thas is not able to do everythig with my server, to have a little more security, if someone hacks my webspace an gets the login-information from my script.

Enjoy my script and think about a way for better security please!

[Lil-rich]

earm, just three sentences to say here:
1.) Use a secure password (e.g. look here: https://www.grc.com/passwords.htm )

2.) Be sure to try to program without security risks (e.g. http://www.cgisecurity.com/lib/php-secure-coding.html )

3.) You should be able to create a serverquery-user with these rights by yourself... Just create a new group with no permissions but serverquerying, then add a "sampleuser" to this group and there you go. Play around a bit with the permissions, there are a lot of possibilities you don't even know

Another method would be using MySQL instead of SQLite. So you are able to get all tokens by using a new MySQL-user with a strong password.

Just my 2 cents


€dit: Ok, a bit more than three sentences, forgive me

[Harry.Fox]

Hello again,

I have some questions about your ideas:

earm, just three sentences to say here:
1.) Use a secure password (e.g. look here: https://www.grc.com/passwords.htm )

First thing is, that I don't know a way to choose a password. I can generate a password, but the Server will create it. Second thing is, that the password is written in the source-code of my script. If a hacker gets access to my source-code, he simply has the password wether it is a secure one or not.

2.) Be sure to try to program without security risks (e.g. http://www.cgisecurity.com/lib/php-secure-coding.html )

My script is a simple PHP-File, don't using any includes or other libaries. Perhaps you may hav a look at it?

3.) You should be able to create a serverquery-user with these rights by yourself... Just create a new group with no permissions but serverquerying, then add a "sampleuser" to this group and there you go. Play around a bit with the permissions, there are a lot of possibilities you don't even know

Is it nesserasy to create a group for it? I tried to give the user the rigths directly using client-rigths, but without success. Can anyone tell me which rigths are nessesary?

Another method would be using MySQL instead of SQLite. So you are able to get all tokens by using a new MySQL-user with a strong password.

I don't have used a TS3 together with MySQL. Is it possible to change the DB-System and take over all the granted rights or must I start from 0 then?

[Lil-rich]

First thing is, that I don't know a way to choose a password. I can generate a password, but the Server will create it.

You are not able to use an own password for these sq-logins yet. I don't know if this will be ever implemented as this would be a security risk again (because a lot of people just use ABC123 or something else as password -> very weak...) You have to ask the devs

Second thing is, that the password is written in the source-code of my script. If a hacker gets access to my source-code, he simply has the password wether it is a secure one or not.

The easiest way for a "hacker" is the password most times. (Brute-Forcing) This is why you should chose a strong password - not for your serverquery-login but for your webspace/ftp login - so this method would not work or at least it would not be worth the time...

My script is a simple PHP-File, don't using any includes or other libaries. Perhaps you may hav a look at it?

I am not into secure programming, sorry. I just noticed these tips very often and thought I should point that out for you. As I already said just have a look at it. If nothing of this mentioned things is implemented you should not worry

Is it nesserasy to create a group for it? I tried to give the user the rigths directly using client-rigths, but without success. Can anyone tell me which rigths are nessesary?

Hmm good question. Just try it ^^
One right should be: "b_client_issue_client_query_command"
Dunno if there are some other rights that are needed to do it.

I don't have used a TS3 together with MySQL. Is it possible to change the DB-System and take over all the granted rights or must I start from 0 then?

There are some tools out there for opening the sqlite-database but you would have to migrate the data by your own (since I didn't see any tool yet).

But at all you don't need to do this with MySQL. As already mentioned you are able to do it without MySQL too. As Peter said yesterday:

Using mysql has, in my opinion, only one valid reason for TeamSpeak: If you need to integrate some data that is already in a mysql database into a ts3 server (e.g. if you want to use your forums user descriptions as the TS3 user descriptions or sth). Just for the sake of firing queries at the database (e.g. via php), you should NOT go to mysql.

So decide on your own Different people, different needs & solutions...

[UF|Renegade|LTG]

You can switch from SQLite to MySQL without starting over. You'll need a program that can open SQLite files (I googled it and found this one). Then open up the TS Database (make sure you shut down the server first) and export it to an sql file, then import it into a MySQL database and it works just fine. (You'll probably have to do a little syntax editing though, the MySQL server rejects the SQLite code.)

[Harry.Fox]

Must I create the MySQL-Database before or will the Server do this at startup like he does by SQL-lite?
And when the Server creates the DB, will it be integrated in my allready running MySQL-Server, so that I can easily access it like all my other DB's on the Server?

[Alcazar]

No, TS will only create the tables, the database itself have to exist.
The serverdocs describe how to start TS3 using MySQL.