[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Michiel van Baak
michiel at vanbaak.info
Thu Nov 12 05:56:18 CST 2009
On 12:24, Thu 12 Nov 09, Kai Hoerner wrote:
> Michiel van Baak schrieb:
> > On 11:34, Thu 12 Nov 09, Olle E. Johansson wrote:
> >
> >> I've changed the sip.conf.sample in trunk to say the following.
> >>
> > In my opinion this change is enough.
> > Changing the default is a no-no in my opinion. This will break too many
> > systems out there.
> >
> Changing the default in code will break existing configs that rely on
> the defaults. (e.g. not have explicitly set "allowguest=yes")
>
> Changing the default in the sample config will break nobody's config and
> nobody's setup.
Agreed.
>
> > If people see the warning in sip.conf and decide to ignore it, it's
> > their responsibility. Same as with every other piece of software that
> > has settings and documentation like this. (bind being recursive by
> > default for example, or sshd that allows root password based logins by
> > default)
> I don't see the argument here. "Because the others do.."
>
> Is setting senseless defaults now considered best practise or something?
> Helping beginners with meaningful defaults is generally a good thing, i
> thought.
> Who really wants to open his box to the world can do it, but it should
> _really_ not be the default.
I really fail to see how we are setting senseless defaults.
even with this enabled the sample config does not allow anything
unsecure.
>
> To shorten up discussion, i know the default context is secured by default.
> But beginners tend to start using it, because of its tempting name.
Beginners should read documentation first, dont you think ?
>
> Changing the default in configuration (not code) will break no one's
> config but will help beginners start with a more secure sample config.
> Just my 2 cents.
--
Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
More information about the asterisk-dev
mailing list