asterisk dapper.2114_to_dapper.2234 diff
Diego Iastrubni
diego.iastrubni at xorcom.com
Tue Aug 8 06:08:31 UTC 2006
On Tuesday 08 August 2006 09:01, Tzafrir Cohen wrote:
> > 3) having only the additional files www-data writable, but still the
> > asterisk directory needs to be writable by that user (or use another sub
> > dir /etc/asterisk/additional with www-data write permissions...?)
...
> For all the above I find it complicated to devise an interface that
> is useful enough and yet does not allow the caller (e.g: the original
> www-data script) the full permissions of the user asterisk.
look at number (3), the www-data is almost masked out from the dialplan.
except for :
> Basically anybody who can inject arbitrary dialplans to Asterisk has
> a good control over that user. Specifically one can use System() to
> practically make Asterisk run an arbitrary command (as the Asterisk
> user).
which is a inherent security problem by this application.
More information about the Pkg-voip-maintainers
mailing list