[Asterisk-Users] FW: Getting PHP Config to work?

Tzafrir Cohen tzafrir at cohens.org.il
Fri Feb 25 11:31:07 MST 2005 

On Fri, Feb 25, 2005 at 04:43:50PM -0000, C. Tomlinson wrote:
> Hi,
> 
> Thanks for the batchfile type, it's a handy one.
> 
> I'm not editing over the internet, just local LAN for testing ATM. Protected
> via firewall.
> 
> Would it not be fairly secure using a combination of the following:
> .htaccess file
> VPN?
> https access?
> Limit apache to only allow certain IP's?
> And the public keys thing.

Secure agains what? What are the threats you consider?

VPN and/or limit of IP addresses (in iptables or in apache's config)
would serve to allow access only from certain addresses. But is this a
relaistic limitation? I thout you wanted to be able to edit the
configuration from various hosts. If this is only your setup, then an
sftp-based setup is probably more convinient.

Using a .htaccess file (or even better: an apache config snippet in
/etc/apache/conf.d )you can force authentication to get to this
directory. But then-again, you empower the apache user (www-data) to
configure and control asterisk, and thus if anybody manages to make your
web server execute an arbitrary script (e.g: can write to a .php file
under the wwwroot) they can make asterisk execute arbitrary code as
well.

The chmod command makes Asterisk's configuration world-writable. So
anybody with temporary write access to your system can again change
asterisk's configuration. This breaks a general sanity assumption that
only system users can write to the configuration. As a rule of thumb
such a chmod should generally be replaced by adding a certain user to a
certain group.

You also change the permissions to the asterisk reload script to 777.
Why does it need to be world-writable? This gives an attacker yet
another place to inject executable code.


In short: I still fail to see the atvantages of using phpconfig in your
settings.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
tzafrir at cohens.org.il |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend

More information about the asterisk-users mailing list