[Asterisk-Users] FW: Getting PHP Config to work?

C. Tomlinson asterisk_list at burntwires.com
Sat Feb 26 04:46:56 MST 2005 


-----Original Message-----
From: C. Tomlinson [mailto:asterisk_list at burntwires.com] 
Sent: 26 February 2005 11:39
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: RE: [Asterisk-Users] FW: Getting PHP Config to work?

Hi Tzafrir,

I do accept that there are many security issues with this setup. I am fairly
ignorant of the exact problems due to my lack of knowledge. However I agree
with the post in the previous thread:

"If the asterisk server is reachable from the outside over http or other
unsecure protocols, it would be really dangerous.
But in a trusty intranet-environment, where firewalls block every attempt to
access the asterisk server from the outside, this "solution" should be save
enough, even if nothing is really save enough ;-) .

Guido Hecken"

What exactly do you mean by an sftp based setup? Is this like the builtin
editor in WinSCP?

Phpconfig allows me to change the config by any pc on my LAN, using windows,
mac, pocket pc(have to test this one) etc. This is handy for me for testing.
I like the flexibility it gives me. The * box is behind a NAT firewall, the
only ports open being those for IAX. If I setup a VPN in the future I will
be able to access the phpconfig files securely (?) via that. It may not
suite everyone.

Maybe the 777 CHMOD could be done better, but this was the way it worked for
me. I am fairly new to Linux and *, so my methods will not be the best. 

Thanks for all the information....if I get to a production box I will
probably not use phpconfig!

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Tzafrir Cohen
Sent: 25 February 2005 18:31
To: asterisk-users at lists.digium.com
Subject: Re: [Asterisk-Users] FW: Getting PHP Config to work?

On Fri, Feb 25, 2005 at 04:43:50PM -0000, C. Tomlinson wrote:
> Hi,
> 
> Thanks for the batchfile type, it's a handy one.
> 
> I'm not editing over the internet, just local LAN for testing ATM.
Protected
> via firewall.
> 
> Would it not be fairly secure using a combination of the following:
> .htaccess file
> VPN?
> https access?
> Limit apache to only allow certain IP's?
> And the public keys thing.

Secure agains what? What are the threats you consider?

VPN and/or limit of IP addresses (in iptables or in apache's config)
would serve to allow access only from certain addresses. But is this a
relaistic limitation? I thout you wanted to be able to edit the
configuration from various hosts. If this is only your setup, then an
sftp-based setup is probably more convinient.

Using a .htaccess file (or even better: an apache config snippet in
/etc/apache/conf.d )you can force authentication to get to this
directory. But then-again, you empower the apache user (www-data) to
configure and control asterisk, and thus if anybody manages to make your
web server execute an arbitrary script (e.g: can write to a .php file
under the wwwroot) they can make asterisk execute arbitrary code as
well.

The chmod command makes Asterisk's configuration world-writable. So
anybody with temporary write access to your system can again change
asterisk's configuration. This breaks a general sanity assumption that
only system users can write to the configuration. As a rule of thumb
such a chmod should generally be replaced by adding a certain user to a
certain group.

You also change the permissions to the asterisk reload script to 777.
Why does it need to be world-writable? This gives an attacker yet
another place to inject executable code.


In short: I still fail to see the atvantages of using phpconfig in your
settings.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
tzafrir at cohens.org.il |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list