Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
multiple /tmp file vulnerabilities #48
Reported by: Helmut Grohne email@example.com
The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
This setting is insecure and may allow local users to elevate privileges
The issue extends to kamailio-advanced.cfg. It seems that this is due to
Granted, some of the results are examples, documentation or obsolete.
More research clearly is required here. Given these findings, the
Changes I'm planning to do in the Debian packaging:
I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files
I'm going to use basedir Makefile config instead of /tmp
On 24 Jan 2015, at 13:20, Victor Seva firstname.lastname@example.org wrote:
Is there a reason for not changing the Kamailio defaults?
On 24 Jan 2015, at 17:18, Victor Seva email@example.com wrote:
My OS/X has /var/run with various sockets.
I think it works for all of these.
If /var/run is common to all major Linuxes and *BSDes, it can be used. But some of those Linuxes are using application name folder inside /var/run, so that doesn't seem to be standard - e.g., Debian is using /var/run/kamailio/... for PID.
Also, when installing with a PREFIX, perhaps this has to be taken in cosideration and have $PREFIX/var/run
referenced this issue
Jan 28, 2015
Many thanks Victor for pursuing this and getting it pushed to Debian.
Perhaps we can made the default to /var/run/ instead of /tmp/, with Debian
At the end, I am happy to make it directly defaulting to
On Fri, Jan 30, 2015 at 12:34 AM, Anthony Messina firstname.lastname@example.org