[asterisk-dev] New manager action: CreateConfig
Michiel van Baak
michiel at vanbaak.info
Tue Feb 12 13:50:19 CST 2008
On 19:36, Tue 12 Feb 08, Benny Amorsen wrote:
> Johansson Olle E <oej at edvina.net> writes:
>
> > What happens if I use an argument of "../rc.conf" or "../passwd" ?
> >
> > I suggest we filter file name arguments for ".." and "/" in the
> > arguments of all these configuration actions.
>
> It's very hard to do this securely if users have permission to write
> to the same directories. E.g. make sure that you always create new
> files, never write to an existing file. (ln /etc/passwd foo,
> asterisk writes to foo...) Symlinks are even worse, but easier to
> detect.
Best would be to only enable this when asterisk is not
running as root, or when it is chrooted.
--
Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
More information about the asterisk-dev
mailing list