New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
multiple /tmp file vulnerabilities #48
Comments
|
I think this can be fixed by setting user/group for fifo/ctl-socket files. Each of these modules have afferent parameter. Would that work? |
|
Changes I'm planning to do in the Debian packaging:
I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files
I'm going to use basedir Makefile config instead of /tmp |
|
On 24 Jan 2015, at 13:20, Victor Seva notifications@github.com wrote:
Is there a reason for not changing the Kamailio defaults? /O |
And point them where? /var/run/kamailio is Debian specific not all OSes use that. |
|
On 24 Jan 2015, at 17:18, Victor Seva notifications@github.com wrote:
My OS/X has /var/run with various sockets. I think it works for all of these. /O |
|
|
|
Why not default to kamailio working directory? Not the nicest way, but should work on most of setups. |
|
I would say follow generic standards and place the files in /var/run by default. We should behave as other servers in a system whenever possible. |
|
If /var/run is common to all major Linuxes and *BSDes, it can be used. But some of those Linuxes are using application name folder inside /var/run, so that doesn't seem to be standard - e.g., Debian is using /var/run/kamailio/... for PID. Also, when installing with a PREFIX, perhaps this has to be taken in cosideration and have $PREFIX/var/run |
…re /tmp Reported by: Helmut Grohne <helmut@subdivi.de> See kamailio#48
|
JFTR I've just uploaded 4.2.0-2 to Debian and It has been unblocked by the Release Manager Team. So it will finally land jessie |
|
I'm glad to see work in this direction. I've been using this patch for Fedora 20, 21 & EL7 RPMs to move things from /tmp to /run/kamailio. I'm sure it's not complete, but it's worked well so far. |
|
Many thanks Victor for pursuing this and getting it pushed to Debian. Perhaps we can made the default to /var/run/ instead of /tmp/, with Debian At the end, I am happy to make it directly defaulting to On Fri, Jan 30, 2015 at 12:34 AM, Anthony Messina notifications@github.com
Daniel-Constantin Mierla - http://www.asipto.com |
Reported by: Helmut Grohne helmut@subdivi.de
The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which
can be selected via the CFGFILE= setting in /etc/default/kamailio. The
configuration contains:
This setting is insecure and may allow local users to elevate privileges
to the kamailio user.
The issue extends to kamailio-advanced.cfg. It seems that this is due to
an incomplete fix of #712083. Looking further, the state of /tmp file
vulnerabilities in kamailio looks worrisome. Most of the results of the
following command (to be executed in the kamailio source) are likely
vulnerable if executed:
Granted, some of the results are examples, documentation or obsolete.
But quite a few reach the default settings:
utils/kamctl/Makefile.
More research clearly is required here. Given these findings, the
security team may want to veto the inclusion of kamailio in a stable
release, which would be very unfortunate as kamailio is quite a unique
piece of software with little competitors in its field.
Helmut
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681
The text was updated successfully, but these errors were encountered: