Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to 'hide' the config file. Using other words, becoming the file unreadable for us, humans. There are people that have root access to the machine and I don't want to let them read the script. Does Kamailio have a function to do this kind of job?
tks, Machado
____________________________________________________________________________________ Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
Does not inherently, but you could concoct it yourself.
On 01/07/2010 10:06 AM, Bruno Machado wrote:
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed during run-time, so once kamailio is started, you can delete the plain text config and keep encrypted version (e.g., gpg).
Cheers, Daniel
On Thursday 07 January 2010, Daniel-Constantin Mierla wrote:
Hi Bruno,
in the cfgutils module there is some functionality to calculate (and then log) a MD5 hash over the configuration file, this way you know at least that it was not modified. Look for the parameter "hash_file".
Cheers,
Henning
I think it'd be neat if Kamailio could optionally read its config from stdin, though obviously that would cause certain things like "includes" to not necessarily work. Then Kamailio could be provisioned from a central server potentially, e.g. wget | kamailio.
7 jan 2010 kl. 18.12 skrev Alex Balashov:
I think it'd be neat if Kamailio could optionally read its config from stdin, though obviously that would cause certain things like "includes" to not necessarily work. Then Kamailio could be provisioned from a central server potentially, e.g. wget | kamailio.
Or simply steal the idea with reading configs from realtime from Asterisk. That way, you can read configs from HTTPS as well as all the db drivers we have.
/O
On 01/07/2010 12:35 PM, Klaus Darilion wrote:
It just uses a lexer. I don't think the internal parse tree and/or other data structures associated with that process can really be serialised/deserialised in the manner of some sort of "bytecode."
On Thursday 07 January 2010, Alex Balashov wrote:
Hi Alex,
one option to hide the configuration script would be to create a bundle of the binary and the cfg, and then encrypt this with some key. During startup this files are decrypted and then the server run with the cfg in memory.
I think similar packing methods are done from some viruses. But even in this case an sufficient motivated attacker could just read the cfg from the RAM, if its not removed after loading. And then of course there is always the option to read the compiled form created from the lexer from RAM and decompile it manually. And of course the key is also somehow present in the bundle, if you don't store it in some sort of protected hardware entity..
Cheers,
Henning
Hi Klaus,
On 1/7/10 6:35 PM, Klaus Darilion wrote:
indeed inside is built a tree with data, but:
- global parameters are set in variables, not kept in the tree, same for module loading and module parameters - posix regular expressions which use stack malloc for compiled data
Cheers, Daniel
-
Alex Balashov -
Bruno Machado -
Daniel-Constantin Mierla -
Henning Westerholt -
Klaus Darilion -
Olle E. Johansson -
Schumann Sebastian