[asterisk-users] allowguest defaults to yes for SIP
Lee Howard
faxguy at howardsilvan.com
Thu Nov 12 12:08:39 CST 2009
Tilghman Lesher wrote:
> On Thursday 12 November 2009 09:53:17 Lee Howard wrote:
>
>>
>> These people should need to deliberately use allowguest=yes. I would
>> venture to guess that these people already know who they are and
>> deliberately have this set. I would venture to guess that there are
>> far, far more people who have it turned on by default who really don't
>> want it that way than there are who expected it to be that way and
>> desire it to so be.
>>
>
> And the people who use this probably believe that YOU should be the one
> who has to deliberately turn this option off. I would venture to guess that
> 90% of all statistics are made up on the spot, including this one and the
> two you specified above.
>
I made it clear that they were guesses. But, please *DO* take a vote on
this. I'm not seeing anyone but you stand up to support the default
setting. Unless you take a vote there's really nothing I can do but guess.
The fact that this problem is being exploited leads me to believe that
this is far-more prevalent a problem than just my single case. Take
care of your users when you can do something so easily. Don't
deliberately let them learn things the hard way on the basis that they
should have known better. The mere fact that this issue is addressed in
doc/security.txt should be an indication that there is a common risk
that could be averted.
>> And yet this point is not even made clear in the doc/security.txt file.
>> It says to not use "default" for anything you don't want to get abused,
>> but it doesn't say *why*. So I can envision, then, someone reading the
>> document and then changing context=internal in the [general] section of
>> sip.conf... and thinking that they responded correctly to what the
>> document said.
>>
>
> You've just made a case for enhancing the documentation, not for changing
> the defaults. If you contribute documentation changes to this effect on the
> issue tracker, I would be more than happy to commit them.
The patch is attached. Feel free to add it to bug tracker issue ID
16226 which some maintainer was happy enough to close already.
And, for what it's worth let me restate my vote that the default for
allowguest be changed to "no" on the basis of keeping ignorant people
from making a stupid mistake.
Thanks,
Lee.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asterisk-allowguest-doc.patch
Type: text/x-patch
Size: 1918 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20091112/bf1da3e8/attachment.bin
More information about the asterisk-users
mailing list