[asterisk-bugs] [Asterisk-GUI 0015119]: [patch] support for a separate datadir
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Jun 30 09:46:29 CDT 2009
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=15119
======================================================================
Reported By: tzafrir
Assigned To: awk
======================================================================
Project: Asterisk-GUI
Issue ID: 15119
Category: General
Reproducibility: have not tried
Severity: minor
Priority: normal
Status: assigned
Asterisk GUI Version: SVN
Asterisk Version: 1.6.1.0
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2009-05-15 10:17 CDT
Last Modified: 2009-06-30 09:46 CDT
======================================================================
Summary: [patch] support for a separate datadir
Description:
For the Debian package, static-http resides under the read-only datadir.
Generally I consider this a Good Thing - having the whole code on a place
that is writable by the web server is generally not a good idea.
This requires some adjustments.
Specifically, I started by making http-static/config/tmp a symlink to
/var/spool/asterisk/tmp . I'm not completly happy with that: it potentially
exposes any file in the tmp directory to outside user. But it's a start.
I'm posting here my initial patches.
======================================================================
----------------------------------------------------------------------
(0107237) awk (manager) - 2009-06-30 09:46
https://issues.asterisk.org/view.php?id=15119#c107237
----------------------------------------------------------------------
tzafrir,
I agree that its generally not a good practice to have your web content
write accessible from the web server, however, one of the fundamental
assumptions of the GUI is that this is an admin tool and designed for a
'trusted' user. Because of that assumption, we generally choose flexibility
over security. Also, changing the /etc/asterisk temporary files (such as
for dahdi's read file) has a greater consequence as we don't read that file
as text/html (as we do files in /var/lib/asterisk/static-http/), but rather
as a config file through the manager getconfig command. This gives the GUI
easier to parse output allowing us to keep the same parsing mechanics for
all configs.
That said, maybe there is a middle ground we can reach. I'm not satisfied
with writing system output to /var/lib/asterisk/static-http/config/. I
think its unorganized. What about writing it to
/var/lib/asterisk/static-http/tmp/? That (i think) would allow you to make
.../static-http/config/ read-only and make /static/http/tmp/ the read/write
area.
Issue History
Date Modified Username Field Change
======================================================================
2009-06-30 09:46 awk Note Added: 0107237
======================================================================
More information about the asterisk-bugs
mailing list