This topic contains 5 replies, has 0 voices, and was last updated by Anonymous 2 years ago.
- May 20, 2016 at 3:35 pm #726
Was setting up the app and freeswitch to check the thing out, and stumbled upon these lines in freeswitch installation section:Code:chown -R freeswitch:daemon /usr/local/freeswitch/
chmod -R ug=rwX,o= /usr/local/freeswitch/
chmod -R u=rwx,g=rx /usr/local/freeswitch/bin/
This seem to be a very bad advice security-wise, as even after the last line, it’d leave all the .so files (executable code) writable by the daemon itself, which is proven to be kinda bad thing in many environments over time (windows, php, etc).
Unfortunately, I’ve never used freeswitch before, and don’t know if such broad permissions might be necessary in this case (so can’t really make a PR), but it seem highly unlikely – maybe only “/usr/local/freeswitch/var” or something similar needs the ‘w’ bit instead? Should be fixed, maybe?
Again, as freeswitch isn’t my thing and also because I’ll be using Arch package instead, don’t really have tested replacement lines to make a patch myself.
Wanted to bring it up as an issue, so that people won’t end up with stuff setup that way in production.
- May 20, 2016 at 3:48 pm #892
Another thing that’s odd, right next to this one is using “daemon” gid for freeswitch, which doesn’t seem to be needed here.
As I think what you’d want on a system, is that each app won’t share any access unless absolutely necessary, which I think is why unique uid/gid is default for e.g. “useradd” and packaged stuff on linux, and it’s strange to see special gid being used here.Or maybe there is a good reason, I just don’t see it.
Still, wanted to bring it up, while on the subject.
- May 21, 2016 at 7:36 am #893
Thanks for your report.
I just follow the freeswitch guidelines. But, if you test successfully your proposed solution, i will be glad to modify the documentation.
So, you can install freeswitch as you want respecting thé needed applications/modules.
- May 21, 2016 at 9:03 am #894
Yeah, guess maybe if I’ll get to it.
Do you mind linking the (official?) guidelines that suggest doing such strange thing?
Couldn’t easily find these myself, wonder if there’s maybe rationale for this stuff or something.
- May 21, 2016 at 9:57 am #895
Anonymousmk-fg wrote:Yeah, guess maybe if I’ll get to it.
Probably won’t unfortunately, as I’ve passed on the “extend pyfreebilling to fit our needs” job now, seeing the complexity of this stuff and how much I’d have to figure out to even start on that.
Thanks for picking up the report, hope you might find time to address it, maybe in some future doc revision. And thanks for maintaining such great and massive project in the open.
- May 23, 2016 at 7:05 am #896
I think that the original sources are not available anymore. FreeSwitch project has moved all documentation to confluence !
So, i move the support to debian stable. I have few things to change in the code to use the original packages. The consequences are to be closest to FreeSwitch team recommandations. And also, it will be simple to install for standard installation.
Thanks fo your messages.
You must be logged in to reply to this topic.
- Click to share on Twitter (Opens in new window)
- Click to share on Facebook (Opens in new window)
- Click to share on Pinterest (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Click to share on Reddit (Opens in new window)
- Click to share on Telegram (Opens in new window)