[asterisk-bugs] [Asterisk 0013751]: All Call Recordings are world readable [Security Risk]

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Oct 21 10:07:21 CDT 2008


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=13751 
====================================================================== 
Reported By:                irroot
Assigned To:                Corydon76
====================================================================== 
Project:                    Asterisk
Issue ID:                   13751
Category:                   Applications/app_mixmonitor
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
Asterisk Version:           1.6.0 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-10-21 04:15 CDT
Last Modified:              2008-10-21 10:07 CDT
====================================================================== 
Summary:                    All Call Recordings are world readable [Security
Risk]
Description: 

As recordings are a sensitive issue and in most cases regulated by law and
in some cases not permited at all the recording mechanisim needs to be as
secure as possible.

Idealy the filemodes should be configrable and there should be a way of
modifying the owner/group [requires the system be run as root] so only
authorised users in a particular group have access to this data.

if the system is not running as root setting the mode to a mode other than
universal read access should still be concidered best practice.

IMHO the default mask should be 0640 at least ...
====================================================================== 

---------------------------------------------------------------------- 
 (0094050) Corydon76 (administrator) - 2008-10-21 10:07
 http://bugs.digium.com/view.php?id=13751#c94050 
---------------------------------------------------------------------- 
He's correct that we should change the filemode, but it should be changed
to 0666, which allows the umask to take full effect.  Our advice to
administrators who want to limit the readability of files has always been
to set the umask at startup time. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-10-21 10:07 Corydon76      Note Added: 0094050                          
======================================================================




More information about the asterisk-bugs mailing list