[SR-Users] DBURL password in clear
Daniel-Constantin Mierla
miconda at gmail.com
Fri Nov 17 11:14:44 CET 2017
On 16.11.17 10:34, Daniel Tryba wrote:
> On Wed, Nov 15, 2017 at 08:46:58AM +0100, Daniel-Constantin Mierla wrote:
>>> I???m working for a UK high street bank and our Kamailio implementation has been challenged because we???ve got database passwords held in clear in the configuration file.
> ...
>>> My requirement is simple, I need to be able to supply a password via means such as loading a variable from a run-once script at start up, or a module. The ideal would be to be able to read in a Docker secret :)
>>>
>> you can define a for a token to be used inside kamailio.cfg by using -A
>> command line parameter. So when you start kamailio, fetch the password
>> from your secure system by what so ever meaning, then build the database
>> url based on it and run kamailio with:
>>
>> kamailio - A DBURL='mysql://user:passwd@dbhost/kamailio' ...
> My guess is the next problem will be the password being visible to all
> users querying the processlist :)
Indeed, this is a valid concern in this context.
>
> Is including a file (import_file) with passwords an option? Generate the
> file just before startup, remove it (ofcourse in a secure way (shred the
> file and overwrite all freespace with a multiple patters a few dozen
> times (ask the auditors for the exact specifications that make them
> happy))) after kamailio is running.
Right, a better option with the included file that can be removed. With
the default kamailio.cfg, one can generate kamailio-local.cfg in the
same folder with kamailio.cfg and inside kamailio-local.cfg can have:
#!define DBURL "...."
One kamailio is started, the file can be removed.
On the other hand, if the file is accessible only by root user and
nobody can see it, removing won't add much protection, maybe just for
long term when server is dismissed and it's good not to have a file with
such content. Because someone with root access can deploy gdb and then
attach to a running kamailio processes and read values from its memory...
Cheers,
Daniel
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
More information about the sr-users
mailing list