[asterisk-dev] New manager action: CreateConfig

Michiel van Baak michiel at vanbaak.info
Tue Feb 12 13:50:19 CST 2008


On 19:36, Tue 12 Feb 08, Benny Amorsen wrote:
> Johansson Olle E <oej at edvina.net> writes:
> 
> > What happens if I use an argument of "../rc.conf" or "../passwd" ?
> >
> > I suggest we filter file name arguments for ".." and "/" in the  
> > arguments of all these configuration actions.
> 
> It's very hard to do this securely if users have permission to write
> to the same directories. E.g. make sure that you always create new
> files, never write to an existing file. (ln /etc/passwd foo,
> asterisk writes to foo...) Symlinks are even worse, but easier to
> detect.

Best would be to only enable this when asterisk is not
running as root, or when it is chrooted.

-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"




More information about the asterisk-dev mailing list