[SR-Users] DBURL password in clear

Daniel-Constantin Mierla miconda at gmail.com
Fri Nov 17 11:24:22 CET 2017


Hello,

just remembered that a while ago I added support for the config file
name '-' (dash/minus char) which means kamailio reads the config from
standard input. This can be used to direct content of the kamailio.cfg
from a safe system. For example, if one stores the config file on a web
server, can do:

curl https://myserver.com/kamailio.cfg | kamailio -f -

It can be a webserver asking for password.

In the context of keeping it encrypted, there can be a tool that fetches
and decrypts kamailio.cfg content and prints it to the standard output.

Using this, not even kamailio.cfg needs to be saved on the local disc.

On the other hand, as I said in a previous response, if an untrusted
person gets access with root privileges, then it can attach to a running
kamailio process with gdb and read from memory.

Cheers,
Daniel


On 17.11.17 08:02, Jurijs Ivolga wrote:
> Hi Robert,
>
> I'm not security expert and I'm quite new in docker, but I think
> password in Docker container which will be in clear text saved
> somewhere should not be a problem, as far as you do not save this
> password to image or git and etc...
>
> I think best way for you is to use docker secret and generate then
> config file for Kamailio using this docker secrets and then start
> Kamailio and for all of this you need to write some kind of Entrypoint
> script. Here is example how something similar do Homer Sipcapture,
> they set environment variables in docker-compose and then generate
> config file based on this, but you can use probably docker secrets
> instead of environment variables:
>
> https://github.com/sipcapture/homer-docker/tree/master/kamailio
>
> I found one more interesting link regarding docker secrets:
>
> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/
>
> With kind regards,
>
> Jurijs
>
> On Thu, Nov 16, 2017 at 11:58 PM, Robert <robert at vooey.co.uk
> <mailto:robert at vooey.co.uk>> wrote:
>
>     That’d presumably leave the clear text footprint I'm trying to
>     avoid, albeit in a non-Kamailio file. I’ve made a start on an
>     approach to read from a file, Docker secrets are basically just
>     files, but the Docker platform handles them securely.
>
>     Thanks - Robert...
>
>     > On 16 Nov 2017, at 21:46, Bastian Triller
>     <bastian.triller at gmail.com <mailto:bastian.triller at gmail.com>> wrote:
>     >
>     > isn't using a group in the db URL an option? Generate some .cnf in
>     > /etc/mysql/conf.d (or where MySQL searches its configuration in a
>     > Docker container) from the secret and use the group in your db
>     URL in
>     > kamailio.cfg.
>     >
>     >
>     http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419
>     <http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419>
>     > 97212
>
>
>     _______________________________________________
>     Kamailio (SER) - Users Mailing List
>     sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>     https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>     <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20171117/6fdf5ceb/attachment.html>


More information about the sr-users mailing list