[asterisk-dev] AstriDevCon - PineMango

Tzafrir Cohen tzafrir.cohen at xorcom.com
Thu Oct 9 12:49:18 CDT 2008


On Thu, Oct 09, 2008 at 09:20:40AM -0700, Brian Degenhardt wrote:

> To clarify, we're talking about fine-grained auth here, not the yes/no
> type in a password to use the API socket.  We currently don't
> authenticate AGI scripts, cli commands, dialplan scripts, and manager's
> security model is a joke.

And a reminder of what happens because of that:

If you want to write a nice little dialer and do it the right way,
you have to write your own daemon that runs on a dedicated server.
Little hacks like SnapDialer are indeed security holes (if you allow
them to be used). If there were proper authorization through the manager
interface, such dialers could have been safe.

I suspect that the same would apply to any interface you want to expose.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list