[asterisk-dev] AstriDevCon - PineMango
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Thu Oct 9 12:49:18 CDT 2008
On Thu, Oct 09, 2008 at 09:20:40AM -0700, Brian Degenhardt wrote:
> To clarify, we're talking about fine-grained auth here, not the yes/no
> type in a password to use the API socket. We currently don't
> authenticate AGI scripts, cli commands, dialplan scripts, and manager's
> security model is a joke.
And a reminder of what happens because of that:
If you want to write a nice little dialer and do it the right way,
you have to write your own daemon that runs on a dedicated server.
Little hacks like SnapDialer are indeed security holes (if you allow
them to be used). If there were proper authorization through the manager
interface, such dialers could have been safe.
I suspect that the same would apply to any interface you want to expose.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list