Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
Does not inherently, but you could concoct it yourself.
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/
- Celebridades
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/
- Música
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/
- Esportes
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Cheers, Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/
- Celebridades
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/
- Música
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/
- Esportes
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Hi
Maybe worth to add that you should be aware that each root user can restart the server and could easily get the file then.
You would have to add some password entry during start-up (hence only manual start-up), otherwise it could be very easy to obtain the file.
Sebastian
-----Original Message----- From: users-bounces@lists.kamailio.org [mailto:users-bounces@lists.kamailio.org] On Behalf Of Daniel-Constantin Mierla Sent: Thursday, 07. January 2010 17:19 To: users@lists.kamailio.org Subject: Re: [Kamailio-Users] Unreadable script
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Cheers, Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file
unreadable for us,
humans. There are people that have root access to the machine and
I don't want
to let them read the script. Does Kamailio have a function to do
this kind
of job?
tks, Machado
On Thursday 07 January 2010, Daniel-Constantin Mierla wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Hi Bruno,
in the cfgutils module there is some functionality to calculate (and then log) a MD5 hash over the configuration file, this way you know at least that it was not modified. Look for the parameter "hash_file".
Cheers,
Henning
I think it'd be neat if Kamailio could optionally read its config from stdin, though obviously that would cause certain things like "includes" to not necessarily work. Then Kamailio could be provisioned from a central server potentially, e.g. wget | kamailio.
7 jan 2010 kl. 18.12 skrev Alex Balashov:
I think it'd be neat if Kamailio could optionally read its config from stdin, though obviously that would cause certain things like "includes" to not necessarily work. Then Kamailio could be provisioned from a central server potentially, e.g. wget | kamailio.
Or simply steal the idea with reading configs from realtime from Asterisk. That way, you can read configs from HTTPS as well as all the db drivers we have.
/O
Daniel, isn't the configuration somehow compiled into internal format? Would it be possible to do the "compilation" on another server and provide only a binary file which represents the internal structure of the configuration?
regards klaus
Daniel-Constantin Mierla schrieb:
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Cheers, Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/
- Celebridades
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/
- Música
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/
- Esportes
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
On 01/07/2010 12:35 PM, Klaus Darilion wrote:
Daniel, isn't the configuration somehow compiled into internal format? Would it be possible to do the "compilation" on another server and provide only a binary file which represents the internal structure of the configuration?
It just uses a lexer. I don't think the internal parse tree and/or other data structures associated with that process can really be serialised/deserialised in the manner of some sort of "bytecode."
On Thursday 07 January 2010, Alex Balashov wrote:
Daniel, isn't the configuration somehow compiled into internal format? Would it be possible to do the "compilation" on another server and provide only a binary file which represents the internal structure of the configuration?
It just uses a lexer. I don't think the internal parse tree and/or other data structures associated with that process can really be serialised/deserialised in the manner of some sort of "bytecode."
Hi Alex,
one option to hide the configuration script would be to create a bundle of the binary and the cfg, and then encrypt this with some key. During startup this files are decrypted and then the server run with the cfg in memory.
I think similar packing methods are done from some viruses. But even in this case an sufficient motivated attacker could just read the cfg from the RAM, if its not removed after loading. And then of course there is always the option to read the compiled form created from the lexer from RAM and decompile it manually. And of course the key is also somehow present in the bundle, if you don't store it in some sort of protected hardware entity..
Cheers,
Henning
Hi Klaus,
On 1/7/10 6:35 PM, Klaus Darilion wrote:
Daniel, isn't the configuration somehow compiled into internal format? Would it be possible to do the "compilation" on another server and provide only a binary file which represents the internal structure of the configuration?
indeed inside is built a tree with data, but:
- global parameters are set in variables, not kept in the tree, same for module loading and module parameters - posix regular expressions which use stack malloc for compiled data
Cheers, Daniel
regards klaus
Daniel-Constantin Mierla schrieb:
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Cheers, Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/
- Celebridades
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/
- Música
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/
- Esportes
http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-
Alex Balashov -
Bruno Machado -
Daniel-Constantin Mierla -
Henning Westerholt -
Klaus Darilion -
Olle E. Johansson -
Schumann Sebastian