[asterisk-users] How to secure Configuration files

Kevin P. Fleming kpfleming at digium.com
Wed Jul 7 15:44:13 CDT 2010


On 07/07/2010 03:33 PM, Tilghman Lesher wrote:
> On Wednesday 07 July 2010 14:58:05 Kevin P. Fleming wrote:
>> On 07/07/2010 10:52 AM, Tilghman Lesher wrote:
>>> On Wednesday 07 July 2010 05:24:10 A J Stiles wrote:
>>>> On Tuesday 06 Jul 2010, ABBAS SHAKEEL wrote:
>>>>> Hello Community,
>>>>>
>>>>> ..... I am facing an issue of security i.e.  We deploy
>>>>> servers to client end. Now i dont want the client to see my
>>>>> configuration files (Of course copy and distribute or replicate the
>>>>> logic with out permission).  [ 1 paragraph omitted ]
>>>>> Is there a way that the configuration files get encrypted or some thing
>>>>> else so that some one who have system access can not copy the
>>>>> configuration files data or look into that files.
>>>>
>>>> Well!  It's a good job Mark Spencer was never so mean-spirited,
>>>> otherwise you would never have been *given* the power of Asterisk.
>>>
>>> In addition, depending upon how you do this, it may be a serious
>>> violation of the license under which Asterisk was distributed to you and
>>> under which you are required to distribute Asterisk to others.  If you
>>> are looking for a legitimate way to do this, you'd have to obtain a
>>> commercial license from Digium.
>>
>> That statement will likely lead to yet more confusion about how the GPL
>> applies to Asterisk and distribution of Asterisk... without a specific
>> example of how a violation could occur, users will tend to interpret
>> such statements in the broadest possible terms, which does harm to their
>> understanding of how they can use and distribute Asterisk.
> 
> Correct, which is why I used the word 'may'.  The only way to sufficiently
> protect the configuration files would be to alter Asterisk and then refuse
> to provide the altered source to those to whom he provided the binary.
> That would be a violation of the GPL.  The only method I can see to get
> around this would be to obtain Asterisk under a non-GPL license.

It would have been helpful if you had included that example then,
instead of posting such a broad statement that will likely lead to
misinterpretations when it is read from the list archives (and posted on
wikis, and other places). When the 'may' qualifier represents a very
small subset of the possible routes the user might take to achieve their
goal (even if it is the only one to provide any significant level of
security), the generalization will naturally be assumed by readers to
cover many more routes than it actually does... and we have direct
experience that users often can and do believe that the GPLv2 does
somehow control the distribution of their configuration files. In
situations like this, context is everything, and it's much easier to
narrow the context of such a statement when it is written, than after it
has been posted and repeated.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kfleming at digium.com
Check us out at www.digium.com & www.asterisk.org



More information about the asterisk-users mailing list