[Asterisk-Users] Asterisk crashes my router!?

Steven Critchfield critch at basesys.com
Thu Dec 2 22:21:09 MST 2004 

On Fri, 2004-12-03 at 12:39 +0800, Dinesh Nair wrote:
> On 03/12/2004 04:01 Nick Bachmann said the following:
> > There's an excellent reason they're the first: those are both such 
> > unbelieveably terrible ideas, especially the PHP init scripts.
> > I would reccomend IPCop, because their designers are a little more.... 
> 
> would you elaborate why these are terrible ideas ? i'm sure, of course, 
> that you actually used m0n0wall and evaluated it before coming up with that 
> statement.

critch at steven:~$ ls -l /bin/bash -h
-rwxr-xr-x  1 root root 652K Nov 11 00:42 /bin/bash
critch at steven:~$ ldd /bin/bash
        libncurses.so.5 => /lib/libncurses.so.5 (0x40028000)
        libdl.so.2 => /lib/libdl.so.2 (0x40067000)
        libc.so.6 => /lib/libc.so.6 (0x4006a000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
critch at steven:~$ ldd /bin/bash|awk '{print $3}'|xargs ls -lHh
-rwxr-xr-x  1 root root  88K Oct 13 14:40 /lib/ld-linux.so.2
-rw-r--r--  1 root root 1.2M Oct 13 14:40 /lib/libc.so.6
-rw-r--r--  1 root root 9.7K Oct 13 14:40 /lib/libdl.so.2
-rw-r--r--  1 root root 247K May 27  2004 /lib/libncurses.so.5

Or about a total of 2.2 megs

critch at steven:~$ ls -l /usr/bin/php4 -h
-rwxr-xr-x  1 root root 2.9M Oct  5 03:49 /usr/bin/php4
critch at steven:~$ ldd /usr/bin/php4
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40028000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40055000)
        libexpat.so.1 => /usr/lib/libexpat.so.1 (0x4006a000)
        libedit.so.2 => /usr/lib/libedit.so.2 (0x4008b000)
        libncurses.so.5 => /lib/libncurses.so.5 (0x400a7000)
        libpcre.so.3 => /usr/lib/libpcre.so.3 (0x400e6000)
        libpanel.so.5 => /usr/lib/libpanel.so.5 (0x400f6000)
        libdb-4.2.so => /usr/lib/libdb-4.2.so (0x400fa000)
        libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x401d0000)
        libz.so.1 => /usr/lib/libz.so.1 (0x401e0000)
        libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x401f2000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x40223000)
        libm.so.6 => /lib/libm.so.6 (0x40235000)
        libdl.so.2 => /lib/libdl.so.2 (0x40257000)
        libc.so.6 => /lib/libc.so.6 (0x4025a000)
        libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4038e000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
critch at steven:~$ ldd /usr/bin/php4|awk '{print $3}'|xargs ls -lHh
-rwxr-xr-x  1 root root   88K Oct 13 14:40 /lib/ld-linux.so.2
-rw-r--r--  1 root root  1.2M Oct 13 14:40 /lib/libc.so.6
-rw-r--r--  1 root root   19K Oct 13 14:40 /lib/libcrypt.so.1
-rw-r--r--  1 root root  9.7K Oct 13 14:40 /lib/libdl.so.2
-rw-r--r--  1 root root  132K Oct 13 14:40 /lib/libm.so.6
-rw-r--r--  1 root root  247K May 27  2004 /lib/libncurses.so.5
-rw-r--r--  1 root root   72K Oct 13 14:40 /lib/libnsl.so.1
-rw-r--r--  1 root root   64K Oct 13 14:40 /lib/libresolv.so.2
-rw-r--r--  1 root root 1006K Nov 14 13:43 /usr/lib/i686/cmov/libcrypto.so.0.9.7
-rw-r--r--  1 root root  194K Nov 14 13:43 /usr/lib/i686/cmov/libssl.so.0.9.7
-rw-r--r--  1 root root   61K Nov 24 18:23 /usr/lib/libbz2.so.1.0
-rw-r--r--  1 root root  857K Aug 21 00:27 /usr/lib/libdb-4.2.so
-rw-r--r--  1 root root  106K Aug 30 17:08 /usr/lib/libedit.so.2
-rw-r--r--  1 root root  127K Oct 19 19:34 /usr/lib/libexpat.so.1
-rw-r--r--  1 root root   12K May 27  2004 /usr/lib/libpanel.so.5
-rw-r--r--  1 root root   63K Mar 12  2004 /usr/lib/libpcre.so.3
-rw-r--r--  1 root root   66K Oct 30 13:49 /usr/lib/libz.so.1

Or about 7.2 megs. Do you gain enough by using php to explain an extra 5
megs or so over the normal bash. Of course you could go the busybox
route and be in at a total of 937k or over 6 megs less executables but a
crap load more functionality. 

So quickly you get the fact that on a minimalistic system such as a
firewall, you don't want all those libraries and crap. A true firewall
should be so minimal it would easily fit on a floppy image and be read
only so as not to be very exploitable.

And for a non technical argument, the use of php for the init scripts
smacks of someone who knew php and thought they would reinvent the
wheel(firewall) with the only technology they knew how to use. If true,
I would worry about security.
-- 
Steven Critchfield <critch at basesys.com>

More information about the asterisk-users mailing list