7 Jan
2010
7 Jan
'10
3:06 p.m.
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is possible to
'hide'
the config file. Using other words, becoming the file unreadable for us, humans.
There are people that have root access to the machine and I don't want to let
them read the script. Does Kamailio have a function to do this kind of job?
tks,
Machado
____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
7 Jan
7 Jan
3:40 p.m.
Does not inherently, but you could concoct it yourself.
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is
possible to 'hide'
the config file. Using other words, becoming the file unreadable for us,
humans.
There are people that have root access to the machine and I don't want
to let
them read the script. Does Kamailio have a function to do this kind of job?
tks,
Machado
------------------------------------------------------------------------
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/>
- Celebridades
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>
- Música
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>
- Esportes
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
4:19 p.m.
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it
yourself.
indeed, for that is good to know that the config file is not needed
during run-time, so once kamailio is started, you can delete the plain
text config and keep encrypted version (e.g., gpg).
Cheers,
Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
--
Daniel-Constantin Mierla
* http://www.asipto.com/
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is
possible to 'hide'
the config file. Using other words, becoming the file unreadable for us,
humans.
There are people that have root access to the machine and I don't want
to let
them read the script. Does Kamailio have a function to do this kind
of job?
tks,
Machado
------------------------------------------------------------------------
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/>
- Celebridades
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>
- Música
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>
- Esportes
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
4:25 p.m.
Hi
Maybe worth to add that you should be aware that each root user can restart the server and
could easily get the file then.
You would have to add some password entry during start-up (hence only manual start-up),
otherwise it could be very easy to obtain the file.
Sebastian
> -----Original Message-----
> From: users-bounces(a)lists.kamailio.org
> [mailto:users-bounces@lists.kamailio.org] On Behalf Of
> Daniel-Constantin Mierla
> Sent: Thursday, 07. January 2010 17:19
> To: users(a)lists.kamailio.org
> Subject: Re: [Kamailio-Users] Unreadable script
>
>
>
> On 1/7/10 4:40 PM, Alex Balashov wrote:
> > Does not inherently, but you could concoct it yourself.
>
> indeed, for that is good to know that the config file is not needed
> during run-time, so once kamailio is started, you can delete
> the plain
> text config and keep encrypted version (e.g., gpg).
>
> Cheers,
> Daniel
>
> >
> > On 01/07/2010 10:06 AM, Bruno Machado wrote:
> >
> >> Hi all
> >>
> >> I'm using the version 1.5.2 and I'd like to know from you if it is
> >> possible to 'hide'
> >> the config file. Using other words, becoming the file
> unreadable for us,
> >> humans.
> >> There are people that have root access to the machine and
> I don't want
> >> to let
> >> them read the script. Does Kamailio have a function to do
> this kind
> >> of job?
> >>
> >> tks,
> >> Machado
5:07 p.m.
On Thursday 07 January 2010, Daniel-Constantin Mierla wrote:
Hi Bruno,
in the cfgutils module there is some functionality to calculate (and then log)
a MD5 hash over the configuration file, this way you know at least that it was
not modified. Look for the parameter "hash_file".
Cheers,
Henning
Does not
inherently, but you could concoct it yourself.
indeed, for that is good to know that the config file is not needed
during run-time, so once kamailio is started, you can delete the plain
text config and keep encrypted version (e.g., gpg).
5:12 p.m.
I think it'd be neat if Kamailio could optionally read its config from
stdin, though obviously that would cause certain things like "includes"
to not necessarily work. Then Kamailio could be provisioned from a
central server potentially, e.g. wget | kamailio.
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
5:30 p.m.
7 jan 2010 kl. 18.12 skrev Alex Balashov:
I think it'd be neat if Kamailio could optionally
read its config from stdin, though obviously that would cause certain things like
"includes" to not necessarily work. Then Kamailio could be provisioned from a
central server potentially, e.g. wget | kamailio.
Or simply steal the idea with reading configs from realtime from Asterisk. That
way, you can read configs from HTTPS as well as all the db drivers we have.
/O
5:35 p.m.
Daniel, isn't the configuration somehow compiled into internal format?
Would it be possible to do the "compilation" on another server and
provide only a binary file which represents the internal structure of
the configuration?
regards
klaus
Daniel-Constantin Mierla schrieb:
On 1/7/10 4:40 PM, Alex Balashov wrote:
Does not inherently, but you could concoct it
yourself.
indeed, for that is good to know that the config file is not needed
during run-time, so once kamailio is started, you can delete the plain
text config and keep encrypted version (e.g., gpg).
Cheers,
Daniel
On 01/07/2010 10:06 AM, Bruno Machado wrote:
Hi all
I'm using the version 1.5.2 and I'd like to know from you if it is
possible to 'hide'
the config file. Using other words, becoming the file unreadable for us,
humans.
There are people that have root access to the machine and I don't want
to let
them read the script. Does Kamailio have a function to do this kind
of job?
tks,
Machado
------------------------------------------------------------------------
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/>
- Celebridades
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>
- Música
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>
- Esportes
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
5:37 p.m.
On 01/07/2010 12:35 PM, Klaus Darilion wrote:
Daniel, isn't the configuration somehow compiled
into internal format?
Would it be possible to do the "compilation" on another server and
provide only a binary file which represents the internal structure of
the configuration?
It just uses a lexer. I don't think the internal parse tree and/or
other data structures associated with that process can really be
serialised/deserialised in the manner of some sort of "bytecode."
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
5:47 p.m.
On Thursday 07 January 2010, Alex Balashov wrote:
Hi Alex,
one option to hide the configuration script would be to create a bundle of the
binary and the cfg, and then encrypt this with some key. During startup this
files are decrypted and then the server run with the cfg in memory.
I think similar packing methods are done from some viruses. But even in this
case an sufficient motivated attacker could just read the cfg from the RAM, if
its not removed after loading. And then of course there is always the option
to read the compiled form created from the lexer from RAM and decompile it
manually. And of course the key is also somehow present in the bundle, if you
don't store it in some sort of protected hardware entity..
Cheers,
Henning
Daniel,
isn't the configuration somehow compiled into internal format?
Would it be possible to do the "compilation" on another server and
provide only a binary file which represents the internal structure of
the configuration?
It just uses a lexer. I don't think the internal parse tree and/or
other data structures associated with that process can really be
serialised/deserialised in the manner of some sort of "bytecode."
8 Jan
8 Jan
10:54 a.m.
Hi Klaus,
On 1/7/10 6:35 PM, Klaus Darilion wrote:
Daniel, isn't the configuration somehow compiled
into internal format?
Would it be possible to do the "compilation" on another server and
provide only a binary file which represents the internal structure of
the configuration?
indeed inside is built a tree with data, but:
- global parameters are set in variables, not kept in the tree, same for
module loading and module parameters
- posix regular expressions which use stack malloc for compiled data
Cheers,
Daniel
regards
klaus
Daniel-Constantin Mierla schrieb:
>
>
> On 1/7/10 4:40 PM, Alex Balashov wrote:
>> Does not inherently, but you could concoct it yourself.
>
> indeed, for that is good to know that the config file is not needed
> during run-time, so once kamailio is started, you can delete the
> plain text config and keep encrypted version (e.g., gpg).
>
> Cheers,
> Daniel
>
>>
>> On 01/07/2010 10:06 AM, Bruno Machado wrote:
>>
>>> Hi all
>>>
>>> I'm using the version 1.5.2 and I'd like to know from you if it is
>>> possible to 'hide'
>>> the config file. Using other words, becoming the file unreadable
>>> for us,
>>> humans.
>>> There are people that have root access to the machine and I don't want
>>> to let
>>> them read the script. Does Kamailio have a function to do this kind
>>> of job?
>>>
>>> tks,
>>> Machado
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
>>>
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/>
>>>
>>> - Celebridades
>>>
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>
>>>
>>> - Música
>>>
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>
>>>
>>> - Esportes
>>>
<http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users(a)lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>>
>>
>
--
Daniel-Constantin Mierla
* http://www.asipto.com/
5489
days inactive
5490
days old
10 comments
7 participants
participants (7)
-
Alex Balashov -
Bruno Machado -
Daniel-Constantin Mierla -
Henning Westerholt -
Klaus Darilion -
Olle E. Johansson -
Schumann Sebastian