Hi Tzafrir, I do accept that there are many security issues with this setup. However I agree with the post in the previous thread:
If the asterisk server is reachable from the outside over http or other unsecure protocols, it would be really dangerous. But in a trusty intranet-environment, where firewalls block every attempt to access the asterisk server from the outside, this "solution" should be save enough, even if nothing is really save enough ;-) . -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tzafrir Cohen Sent: 25 February 2005 18:31 To: asterisk-users@lists.digium.com Subject: Re: [Asterisk-Users] FW: Getting PHP Config to work? On Fri, Feb 25, 2005 at 04:43:50PM -0000, C. Tomlinson wrote: > Hi, > > Thanks for the batchfile type, it's a handy one. > > I'm not editing over the internet, just local LAN for testing ATM. Protected > via firewall. > > Would it not be fairly secure using a combination of the following: > .htaccess file > VPN? > https access? > Limit apache to only allow certain IP's? > And the public keys thing. Secure agains what? What are the threats you consider? VPN and/or limit of IP addresses (in iptables or in apache's config) would serve to allow access only from certain addresses. But is this a relaistic limitation? I thout you wanted to be able to edit the configuration from various hosts. If this is only your setup, then an sftp-based setup is probably more convinient. Using a .htaccess file (or even better: an apache config snippet in /etc/apache/conf.d )you can force authentication to get to this directory. But then-again, you empower the apache user (www-data) to configure and control asterisk, and thus if anybody manages to make your web server execute an arbitrary script (e.g: can write to a .php file under the wwwroot) they can make asterisk execute arbitrary code as well. The chmod command makes Asterisk's configuration world-writable. So anybody with temporary write access to your system can again change asterisk's configuration. This breaks a general sanity assumption that only system users can write to the configuration. As a rule of thumb such a chmod should generally be replaced by adding a certain user to a certain group. You also change the permissions to the asterisk reload script to 777. Why does it need to be world-writable? This gives an attacker yet another place to inject executable code. In short: I still fail to see the atvantages of using phpconfig in your settings. -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | Space reserved for other protocols | friend _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users