[asterisk-dev] New manager action: CreateConfig
Maxim Sobolev
sobomax at sippysoft.com
Tue Feb 12 15:43:41 CST 2008
Johan Wilfer wrote:
> tis 2008-02-12 klockan 17:39 +0100 skrev Johansson Olle E:
>> 12 feb 2008 kl. 17.10 skrev Tzafrir Cohen:
>>
>>> On Tue, Feb 12, 2008 at 04:16:48PM +0100, Johansson Olle E wrote:
>>>> What happens if I use an argument of "../rc.conf" or "../passwd" ?
>>>>
>>>> I suggest we filter file name arguments for ".." and "/" in the
>>>> arguments of all these configuration actions.
>>> You assume the user did not run:
>>>
>>> System(ln -s / /etc/asterisk/rootdir)
>>>
>>> Running Asterisk as root is bad for your health.
>>
>> Well, I won't disagree. But that's not a good reason for adding new
>> holes, is it?
>
> Wouldn't it be better to focus on having Asterisk run as non-root as the
> default? Someone who can summarize the pros and cons? I guess this could
> mean a lot to secure the default asterisk configuration..
+1. There is really no point for it to run as root.
Regards,
--
Maksym Sobolyev
Sippy Software, Inc.
Internet Telephony (VoIP) Experts
T/F: +1-646-651-1110
Web: http://www.sippysoft.com
More information about the asterisk-dev
mailing list