freepbx packages - soon

Diego Iastrubni diego.iastrubni at xorcom.com
Wed Mar 22 16:28:10 UTC 2006


Lionel Elie Mamane wrote:

>On Mon, Mar 20, 2006 at 10:21:51AM +0200, Diego Iastrubni wrote:
>  
>
>
>  
>
>>One of the ugliest things is that the package will modify the user
>>www-data and add it to the group "asterisk". This is the only way
>>for users to be able to modify asterisk files from the web. Way
>>ugly, but must be done.
>>    
>>
>
>It is above all highly insecure.
>
>  
>
I know this. I am hoping to hear a better solution.


Just to be clear, this is how freepbx works:


1) User sees information which is pulled out of mysql

2) User modifies information into mysql

3) User presses "ok" -> all  the configuration is saved into 
/etc/asterisk/*.conf


stage 3 is the problematic. This is executed by a php-cli script which 
MUST have write access to those files.


There is also another package called Asterisk Recording Interface, which 
has direct access to the voicemail files.


Using those GUIs is a risk, but IMHO whoever wants them will get them, 
even with all those sequerity holes.




More information about the Pkg-voip-maintainers mailing list