Bug#1004080: asterisk: Configuration files owned by asterisk user

Jonas Smedegaard jonas at jones.dk
Thu Jan 20 15:17:21 GMT 2022


Hi Drexl,

Quoting Drexl Johannes (2022-01-20 15:41:40)
> I'm not entirely sure this poses a threat, but as I understand general 
> security directives state not to give the executing user of a service 
> write access to its config files and binaries. Yet after installing 
> the package the whole config directory as well as all included files 
> are owned by asterisk user and group as well as in mode 0640 (which I 
> suppose is a good decision for some files at least, talking about not 
> being world-readable).
> 
> So, to improve security this probably has to be changed to 
> root:asterisk with mode 0640 (where necessary), or am I getting stuff 
> wrong here?

That sounds sensible to me - superficially, I am unaware if some subtle 
detail in Asterisk require special handling here.

An obvious next step might be to try make the suggested change and see 
if it still seems to work the same.  Did you try that already, Drexl?  
If not, can I ask you to try it?

Kind regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20220120/90592792/attachment.sig>


More information about the Pkg-voip-maintainers mailing list