[asterisk-users] allowguest defaults to yes for SIP

Lee Howard faxguy at howardsilvan.com
Fri Nov 13 01:46:49 CST 2009


Michael Wyres wrote:
> The way I see it, the reason you have encountered some resistance to your opinion in regards to whether guest access should be allowed by default or should not be, is not because your opinion is "right" or "wrong" - everyone is entitled to an opinion - and your stance has merit, certainly - I don't think anyone is actually disputing that.  It is more that a lot of the people on this list have been using Asterisk for a LOOOOOOOONG time, and have explained why it might be advantageous to have guest access enabled by default.  There are definitely uses for this functionality, as has been demonstrated by a number of examples contained in this thread.
>   

I certainly understand why someone would want such a feature.  Again, I 
think that it's a feature that should not be enabled by default.  I 
realize that some people that are using this feature would be 
inconvenienced if this default were to change.  I think that 
inconvenience is far-outweighed by the benefits in avoiding exploitation 
who are unaware of this feature.

I don't know how long, exactly, a LOOOOOOOONG time is.  Certainly there 
are plenty of people who have used it longer than I have.  I started 
investigating and studying Asterisk in 1999.  I started using it in 
2002.  If that's not long enough to deserve a voice, then I understand.

> Isn't this why you joined the list?  To learn more about the product, and get ideas and assistance from the more experienced users of the product?
>   

I've been a list member for a very long time.  Back in that day I was 
accustomed to joining the users list for every software I used with any 
interest.  The point of joining the list was, yes, to learn, but also to 
share and to provide feedback to developers.

> You raised your concern, and Tilghman (a senior developer at Digium) explained the reasoning behind the default setting.  He suggested that you take your concern to the tracker and post a patch.  You resisted.

In case you weren't aware, I *DID* open a case on the bug tracker, and I 
*DID* write a patch as requested.  However, an eager bug marshal decided 
to close my case before the patch was written and asked me to come to 
this list to discuss the subject.  So Tilghman was asking me to create a 
*NEW* ticket and to post the patch there... yet all the while there were 
discussions going on on asterisk-dev about the very same subject which, 
as clearly stated, superseded my contribution due to merit.  In other 
words, there was little point for me to write any patch until after 
those whose opinions count due to merit are done (but even then, I still 
wrote and contributed a patch).

But please understand, I've been down this path before many times.  I 
wasn't trying to be resistant.  Instead, I was merely cognizant of the 
fact that I had already done enough to express my opinions and that to 
continue restating them over and over would have been futile and 
argumentative.

> Now, the default extensions.conf contains the following snippet:
>
> <snip>
>
> [default]
> ;
> ; By default we include the demo.  In a production system, you
> ; probably don't want to have the demo there.
> ;
> include => demo
>
> </snip>
>
> Now, a lot of people never RTFM for anything.  Moreover, how many people actually read the EULA for any piece of software they use?  It's not Asterisk/Digium's fault if people don't read the available documentation that they provide.  The quite plainly clear statement above is "in a production system, you probably don't want to have the demo there".  Did you read that bit?  Did you wonder why that bit is there?

Yes, I did read that.  This led me to immediately remove the demo.  It 
did not, however, lead me to set allowguest=no.

> When I first started working with Asterisk, I clearly remember that line (or something very similar) piquing my curiousity to dig a little deeper as to why that statement was made.  Lo, I discovered that this was because by default, guest access is allowed.
>   

You certainly took it further than I did.  I accepted what it said at 
face-value.  I didn't continue to investigate.  I can't help but think 
there are others like me who will not read between the lines to learn 
that guest access is enabled by default.  Indeed, the language in 
doc/security.txt doesn't currently make this clear, either... reading it 
at face value I see a bias against using the "default" context for 
anything involving tolls, but it still doesn't say that unauthenticated 
callers are permitted by default.  Again, you were more inquisitive than 
I was.  I applaud you for it.  Do we expect that level of 
inquisitiveness from all users?

> I too found the default access odd at first, but I chose to understand the reasoning from people who knew better, instead of chucking a hissy fit.

I'm sorry, I'm not sure I understand your definition of hissy fit.  If 
you view my behavior as a hissy fit then I do apologize.  Please 
understand, however, that I *DID* follow expected protocol, and what I 
did would have been more than enough to constitute a contribution in 
most open-source projects in which I participate.  You seem disturbed 
that I chose to stop pursuing this once I felt that further efforts were 
not going to be productive.  I probably came to that conclusion sooner 
than you did... probably because of my past experience in this regard.

Thanks,

Lee.




More information about the asterisk-users mailing list