Discussion about Firewall Security Issues


#1

The criticism from members of your development team in this thread was that running Asterisk/FreePBX as root was a “security issue.” Perhaps it’s too subtle for you to grasp but running a firewall as root inside a browser-based GUI might also be considered a “security issue.” Remember the old adage about people who live in glass houses? Didn’t think so.


FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
(Rob Thomas) #2

No I wasn’t. This has nothing to do with me. I do my best to not interact with you at all, as all you do is try to troll me. Like this. I just came in here because I saw a notification that a comment was flagged, and I explicitly unflagged it, and … sigh, tried to explain how to make sure you don’t get flagged again. (Don’t troll).

Of course, that was ignored.

You haven’t asked a question. Answering a question depends on the question actually being asked.

“Of course it does.”

EDITORIAL COMMENT:
as @tm1000 explains below, it does not have ‘direct’ root access. It has a decoupled ability to access very ‘narrow’ root capabilities through incron that we attempt to very carefully define. For example, we may provide the ability to pass an IP address and then trigger a script that runs as root, and after verifying with signature checks that the script has not been tampered with, will take the IP address and run a specific iptables command to add that IP address to a white list. That’s the level of root access that is provided, as explained in several other threads and locations.
EDITORIAL COMMENT FINISHED, BACK TO OUR REGULARLY SCHEDULED CONTENT:

Have you not even read the firewall thread? Or the wiki page? Or the documentation? Or the design documents? Or anything? Have you even tried to look at the code? This is all extremely well documented and explained.

However, if you DO have a question about the firewall, why don’t you try reading the firewall thread? There’s about 90 posts there, and I’m sure all your questions will be answered.

This thread is now extremely off topic, please don’t spam.

Edit: I’ve moved these two posts to their own new thread. Please feel free to continue to discuss security issues here.


(Rob Thomas) #4

It might be, but that’s why we actively encourage security professionals to audit things like this, so it’s NOT a security issue.

On the other hand, things like webmin - which offers unrestricted and uncontrolled root access and has had hundreds and hundreds of bugs, and still to this day cause a significant percentage of intrusions, are a security issue.

As an aside, I would appreciate it if you would try to keep your tone pleasant and un-inflammatory. As I said in the post yesterday, the only way to stop people from flagging you as a troll is not to troll. If you’re helpful and pleasant, you’ll never have an issue with people flagging your posts.

Think of a flag as a downvote, and a heart as an upvote.


#5

Audits alone don’t eliminate “security issues.” Separation of applications using different user credentials makes a secure computing environment as i’m sure you know.

As for WebMin, we provide WebMin access only with Apache credentials PLUS a root user password PLUS a firewall whitelist. Otherwise, there is no WebMin access.


(Andrew Nagy) #6

Perhaps you should also read up on incron. Which is the service we use. We do not just blatantly hand out root to firewall as seems to be suggested. This still seems as though none of the threads about firewall have been read. As it’s fully explained how it works and how it functions. Did you notice that after the bug was fixed the security professional was no longer able to obtain root. If we were just blatantly giving out root it he would have been able to exploit it over and over again. But he wasn’t.

Perhaps you should ask that security expert to help out PBX in a flash…