[Asterisk-Users] Getting netmeeting to work with Asterisk

Simon J Mudd sjmudd at pobox.com
Fri Jun 6 01:24:00 MST 2003


jj at indie.org (Jeremy McNamara) writes:

> Simon J Mudd wrote:
> 
> >Using the LD_LIBRARY_PATH as you explain appears to be rather a hack.
> 
> LD_LIBRARY_PATH is a standard Linux environment value, so complain to Linus.

I'm aware of what LD_LIBRARY_PATH is for (and that is works on various
versions of UNIX), but my point was more from a safe installation
point of view

1. pwlib and h323 libraries are from their own documentation
   "usefully" installed in $HOME/pwlib and $HOME/openh323
   respectively.  If these libraries have been installed by a non-root
   user and then you start asterisk as root, there is a _potential_
   for this to be a security concern. In practice nothing may normally
   happen, but ...

2. The asterisk software when running make install, installs by
   default into /etc/asterisk and other [root owned] directories.
   This therefore assumes that the asterisk installation is to be run
   or started by root.  If this is the case then IMO modifying
   LD_LIBRARY_PATH to include a non-root directory to include these
   libraries is unsafe, and if you want to ensure that you use non
   system/vendor/distribution -installed pwlib/h323 libraries that the
   location of these libraries should be under asterisk's control, but
   in a _safe_ (root owned) directory.

Then again, it is quite possible that asterisk doesn't need to run as
root, but can quite happily run as a standard user.  If this is so
then a good installation may require running as a non-root user which
from a security point of view can ensure that any problems within
asterisk can not lead to root exploits of the system.

> >I wasn't sure WHY you frown so heavily on the vendor/distribution
> >pwlib/h323 libraries (do they change that much or are different
> >versions incompatible?) and as I hadn't installed these as packaged
> >libraries I [safely] copied them to /usr/lib.
> 
> They rename the libraries, have been known to make changes (which can
> be argued both good and bad) and/or they haven't been updated in ages,
> thus will not work properly with chan_h323 as we had to fix a few bits
> of the H.323 stack. (the external rtp features)

Ok. That's clear and understandable. I guess VoIP is rather lower on
their list of priorities.

FYI the reason I mention these things is that my background is using
mail server software which in the past has been rather infamous for
leading to root exploits of the system due to bugs [sendmail].  I've
been an active member of the Postfix mailing list and the author has
designed the software to ensure that this sort of problem is extremely
difficult to produce on his software.  One of the ways he does this is
to ensure that both outside access to the application can't make the
software _execute_ untrusted code and that internally the application
can't be run in an insecure environment.

The use of LD_LIBRARY_PATH in a well installed system thus struck me
as beeing unsual which is why I asked.

As you have seen I know next to nothing about VoIP and asterisk. I'm
just trying to get a better understanding of how the software
works.  Thanks for taking the time to answer me.

Simon
-- 
Simon J Mudd, Postfix RPM Packager, Amsterdam, The Netherlands.
email: sjmudd at pobox.com, Tel: +31-627-592 627, http://postfix.WL0.org



More information about the asterisk-users mailing list