Reported by: Helmut Grohne helmut@subdivi.de
The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which can be selected via the CFGFILE= setting in /etc/default/kamailio. The configuration contains: ``` modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo") ``` This setting is insecure and may allow local users to elevate privileges to the kamailio user.
The issue extends to kamailio-advanced.cfg. It seems that this is due to an incomplete fix of #712083. Looking further, the state of /tmp file vulnerabilities in kamailio looks worrisome. Most of the results of the following command (to be executed in the kamailio source) are likely vulnerable if executed: ``` grep '/tmp/[a-z0-9_.-]+($$)?([" ]|$)' -r . ``` Granted, some of the results are examples, documentation or obsolete. But quite a few reach the default settings:
* kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl. * The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile.
More research clearly is required here. Given these findings, the security team may want to veto the inclusion of kamailio in a stable release, which would be very unfortunate as kamailio is quite a unique piece of software with little competitors in its field.
Helmut
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48
I think this can be fixed by setting user/group for fifo/ctl-socket files. Each of these modules have afferent parameter. Would that work?
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-70727754
Changes I'm planning to do in the Debian packaging:
kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files
The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile.
I'm going to use basedir Makefile config instead of /tmp
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71314450
On 24 Jan 2015, at 13:20, Victor Seva notifications@github.com wrote:
Changes I'm planning to do in the Debian packaging:
kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl.
I'm going to change the default of ctl module to /var/run/kamailio/kamailio_ctl so kamcmd will use it by default and I'm going to set explicitly the binrpc parameter on the etc/kamailio/*.cfg files
The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile.
I'm going to use basedir Makefile config instead of /tmp
Is there a reason for not changing the Kamailio defaults?
/O
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71324664
Is there a reason for not changing the Kamailio defaults?
And point them where? /var/run/kamailio is Debian specific not all OSes use that.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71324890
On 24 Jan 2015, at 17:18, Victor Seva notifications@github.com wrote:
Is there a reason for not changing the Kamailio defaults?
And point them where? /var/run/kamailio is Debian specific not all OSes use that.
My OS/X has /var/run with various sockets. My Centos servers has /var/run with various pid-files One of my FreebSD systems has /var/run
I think it works for all of these.
/O
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71325089
`/var/run` is not Debian specific but in the Filesystem Hierarchy Standard; so a safe default to choose which should have wide support.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71427300
Why not default to kamailio working directory? Not the nicest way, but should work on most of setups.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71442036
I would say follow generic standards and place the files in /var/run by default. We should behave as other servers in a system whenever possible.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71442700
If /var/run is common to all major Linuxes and *BSDes, it can be used. But some of those Linuxes are using application name folder inside /var/run, so that doesn't seem to be standard - e.g., Debian is using /var/run/kamailio/... for PID.
Also, when installing with a PREFIX, perhaps this has to be taken in cosideration and have $PREFIX/var/run
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-71443433
JFTR I've just uploaded 4.2.0-2 to Debian and It has been unblocked by the Release Manager Team. So it will finally land jessie
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-72084032
@thijskh I said '/var/run/kamailio' is Debian specific @miconda now as 4.2.0-2 '/var/run/kamailio' is used for PID, kamailio_ctl and kamailio_fifo by default and yes I think $PREFIX/var/run should be honored
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-72084571
I'm glad to see work in this direction. I've been using this [patch](https://messinet.com/rpms/browser/kamailio/kamailio-ctl-fifo-pid.patch) for Fedora 20, 21 & EL7 RPMs to move things from **/tmp** to **/run/kamailio**. I'm sure it's not complete, but it's worked well so far.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#issuecomment-72126585
Many thanks Victor for pursuing this and getting it pushed to Debian.
Perhaps we can made the default to /var/run/ instead of /tmp/, with Debian using /var/run/kamailio/.
At the end, I am happy to make it directly defaulting to /var/run/kamailio/. If other OSes have /var/run/ then I guess they are happy creating a new folder in there as well, not just placing new pid/socket/fifo files.
On Fri, Jan 30, 2015 at 12:34 AM, Anthony Messina notifications@github.com wrote:
I'm glad to see work in this direction. I've been using this patch https://messinet.com/rpms/browser/kamailio/kamailio-ctl-fifo-pid.patch for Fedora 20, 21 & EL7 RPMs to move things from */tmp* to */run/kamailio*. I'm sure it's not complete, but it's worked well so far.
— Reply to this email directly or view it on GitHub https://github.com/kamailio/kamailio/issues/48#issuecomment-72126585.
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
On 30 Jan 2015, at 14:56, Daniel-Constantin Mierla miconda@gmail.com wrote:
Many thanks Victor for pursuing this and getting it pushed to Debian.
Yes!
Perhaps we can made the default to /var/run/ instead of /tmp/, with Debian using /var/run/kamailio/.
I think that would be a good move.
At the end, I am happy to make it directly defaulting to /var/run/kamailio/. If other OSes have /var/run/ then I guess they are happy creating a new folder in there as well, not just placing new pid/socket/fifo files.
/O
On Fri, Jan 30, 2015 at 12:34 AM, Anthony Messina notifications@github.com wrote: I'm glad to see work in this direction. I've been using this patch for Fedora 20, 21 & EL7 RPMs to move things from /tmp to /run/kamailio. I'm sure it's not complete, but it's worked well so far.
— Reply to this email directly or view it on GitHub.
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/micond _______________________________________________ sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
Closed #48.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/48#event-311065969
-
Alekzander Spiridonov -
Anthony Messina
-
Daniel-Constantin Mierla
-
Daniel-Constantin Mierla -
Olle E. Johansson
-
Olle E. Johansson -
Thijs Kinkhorst
-
Victor Seva