[SR-Users] DBURL password in clear

Daniel-Constantin Mierla miconda at gmail.com
Fri Dec 1 11:15:42 CET 2017 

Hello,


On 30.11.17 21:39, Robert wrote:
> Hello Daniel,
>
> Sincere apologies for the tardy reply! There are lots of challenges
> I’ll face, but fortunately I only need to secure the application, it
> is for others to worry about preventing platform access etc. (but on
> the hardened OS, I’d be amazed if gdb was available ;).
kamailio is usually started as root to read protected files like
kamailio.cfg as well as create control files/sockets and then switches
to unprivileged user (e.g., kamailio). If one gets the root, installing
gdb or other tools won't be a big deal ...

Cheers,
Daniel

>
> The -f - solution may be what is the best approach.
>
> Thank you.
>
> Robert.
>
>> On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla <miconda at gmail.com
>> <mailto:miconda at gmail.com>> wrote:
>>
>> Hello,
>>
>> just remembered that a while ago I added support for the config file
>> name '-' (dash/minus char) which means kamailio reads the config from
>> standard input. This can be used to direct content of the
>> kamailio.cfg from a safe system. For example, if one stores the
>> config file on a web server, can do:
>>
>> curl https://myserver.com/kamailio.cfg | kamailio -f -
>>
>> It can be a webserver asking for password.
>>
>> In the context of keeping it encrypted, there can be a tool that
>> fetches and decrypts kamailio.cfg content and prints it to the
>> standard output.
>>
>> Using this, not even kamailio.cfg needs to be saved on the local disc.
>>
>> On the other hand, as I said in a previous response, if an untrusted
>> person gets access with root privileges, then it can attach to a
>> running kamailio process with gdb and read from memory.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 17.11.17 08:02, Jurijs Ivolga wrote:
>>> Hi Robert,
>>>
>>> I'm not security expert and I'm quite new in docker, but I think
>>> password in Docker container which will be in clear text saved
>>> somewhere should not be a problem, as far as you do not save this
>>> password to image or git and etc...
>>>
>>> I think best way for you is to use docker secret and generate then
>>> config file for Kamailio using this docker secrets and then start
>>> Kamailio and for all of this you need to write some kind of
>>> Entrypoint script. Here is example how something similar do Homer
>>> Sipcapture, they set environment variables in docker-compose and
>>> then generate config file based on this, but you can use probably
>>> docker secrets instead of environment variables:
>>>
>>> https://github.com/sipcapture/homer-docker/tree/master/kamailio
>>>
>>> I found one more interesting link regarding docker secrets:
>>>
>>> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
>>>
>>> With kind regards,
>>>
>>> Jurijs
>>>
>>> On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert at vooey.co.uk
>>> <mailto:robert at vooey.co.uk>> wrote:
>>>
>>>     That’d presumably leave the clear text footprint I'm trying to
>>>     avoid, albeit in a non-Kamailio file. I’ve made a start on an
>>>     approach to read from a file, Docker secrets are basically just
>>>     files, but the Docker platform handles them securely.
>>>
>>>     Thanks - Robert...
>>>
>>>     > On 16 Nov 2017, at 21:46, Bastian Triller
>>>     <bastian.triller at gmail.com <mailto:bastian.triller at gmail.com>>
>>>     wrote:
>>>     >
>>>     > isn't using a group in the db URL an option? Generate some .cnf in
>>>     > /etc/mysql/conf.d (or where MySQL searches its configuration in a
>>>     > Docker container) from the secret and use the group in your db
>>>     URL in
>>>     > kamailio.cfg.
>>>     >
>>>     >
>>>     http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
>>>     <http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419>
>>>     > 97212
>>>
>>>
>>>     _______________________________________________
>>>     Kamailio (SER) - Users Mailing List
>>>     sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>>>     https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>     <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Kamailio (SER) - Users Mailing List
>>> sr-users at lists.kamailio.org
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> -- 
>> Daniel-Constantin Mierla
>> www.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Kamailio Advanced Training - www.asipto.com
>> Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171201/2842cdc8/attachment.html>

More information about the sr-users mailing list