[Asterisk-Dev] asterisk writing zaptel.conf
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Wed Apr 27 07:09:35 MST 2005
Hi
On Wed, Apr 27, 2005 at 08:41:08AM -0400, alex at pilosoft.com wrote:
> On Mon, 25 Apr 2005, Tzafrir Cohen wrote:
>
> > If the asterisk user has write permissions to /etc/zaptel.conf and root
> > routinly (e.g: at boot) executes ztcfg, what are the possible issues?
> I don't think anyone particularly evaluated ztcfg for security holes.
>
> > Possible workaround: empty /etc/zaptel.conf and an asterisk-owned
> > zaptel.conf under /etc/asterisk, executed by the wrapper script that
> > runs asterisk?
> I do not see what would it gain you. Bottom line is, ztcfg has to
> interface directly with hardware, root privileges are required.
ztcfg actually just runs executes a bunch of ioctl-s on zaptel devices.
So it basically requires write access to such a device file. Is there
anything priviliged in what it does?
Asterisk needs to have write access to such a device file for other
(though quite similar) reasons.
> If you are
> very concerned (shared host) regarding security of ztcfg, your only
> solution is to evaluate if there are any holes in it...
I'm not concerend about shared hosting. But if someone would like to
speculate on the following, they're welcome:
/dev/zap/ctl root zapopers rw-rw----
/dev/zap/1 zapuser1 root rw-rw----
/dev/zap/2 zapuser2 root rw-rw----
Where zapuser1 and zapuser1 are both members of the group zapopers.
Would such a setup give them "private" devices or is is worth nothing
becasue of the write access to the ctl device?
--
Tzafrir Cohen icq#16849755 +972-50-7952406
tzafrir.cohen at xorcom.com http://www.xorcom.com
More information about the asterisk-dev
mailing list