Bug#747302: Security flaw: deleted config files get restored

Petr Tomášek petr.tomasek at evangnet.cz
Mon May 12 10:35:02 UTC 2014 

On Sun, 2014-05-11 at 20:28 +0300, Tzafrir Cohen wrote: 
> On Wed, May 07, 2014 at 12:41:01PM +0200, Petr Tomášek wrote:
> > Package: asterisk
> > Version: 1.8.13.1~dfsg1-3+deb7u3
> > 
> > The Asterisk (open source telephony switching and private branch
> > exchange service) comes with many example config files in place
> > which post possible security risk as they configure features which
> > should not be present on a production system.
> > 
> > Now, if these config files are deleted they are restored by the next
> > update meaning that the system get screwed and it may lead to a security
> > problem. 
> 
> Configuration files don't just get deleted. Did you remove asterisk (or
> rather; asterisk-config) or purge it? If you did not purge
> asterisk-config, the configuration files should not have been removed.
> Did you have any local changes that were not preserved?
> 
> Could you please give a more specific scenario?

The scenario is very simple: I deleted those config files on purpose
because
I considered them to be a potential security problem.

That upgrading the asterisk package restored these potentially dangerous
config files was a big surprise to me :-(.

> > 
> > Therfore I'd suggest that config files that are just examples (and not
> > feasible defaults like e.g. ) all be moved out of the /etc/asterisk to
> > some documentation directory.
> 
> Without any configuration files Asterisk will behave in different ways
> than expected. Some of the "defaults" are hard-coded in the
> configuration rather than in the code.

I wrote "config files that are just examples"! I didn't suggest that no
configuration files at all be shipped!

Of course there are some config files which contain feasible defaults,
like
for example codes.conf, but my impression is that this is true for only
a small fraction of the config files. Most of the config files are full
of "rubbish".

Just consider the files extensions.conf, extensons.ael and
extensions.lua 
which all of them have some idiotic examples and if someone replaces
extensions.conf with his own configuration the configuration in
extensions.ael and *.lua (meant as an example) still will be used!

> 
>  Most notable example: by default
> asterisk will not load any module. The standard modules.conf has
> 
> [modules]
> autoload => yes

Which itself is posts a security problem - most users do need only a
small
portion of the available modules, why should all of them be autoloaded?

The opposite would be much better from the security (and performance)
point of
view: to have a modules.conf listing ALL of available modules hashed out
and the user would go through this file and enable only those modules he
really needs.

I'd therefore propose that asterisk be shipped with only a very minimal
configuration to prevent potential security problems. (Or maybe a
package asterisk-config-minimal could be created for this purpose as an
alternative for asterisk-config?) I would be happy to contributing to
such an effort - however I have so far no experience with packaging for
debian so would probably need some help.

BTW, I tried to remove the asterisk-config pakckage but dpkg refused to
do so:

# dpkg --remove asterisk-config
dpkg: dependency problems prevent removal of asterisk-config:
asterisk depends on asterisk-config (= 1:1.8.13.1~dfsg1-3+deb7u3) |
asterisk-config-custom; however:
  Package asterisk-config is to be removed.
  Package asterisk-config-custom is not installed.

If I understand it well this makes asterisk-config to be installed
automatically
when someone installs asterisk which I consider bad (see above).

Petr Tomášek

More information about the Pkg-voip-maintainers mailing list