[OpenSIPS-Users] opensips-cli and /tmp
Gregory Massel
greg at switchtel.co.za
Tue Feb 9 02:55:24 EST 2021
I struggled for quite some time to get opensips-cli working on Ubuntu
20.04 LTS.
It seems that there are now some security protections within the Linux
kernel (|fs.protected_fifos) |against users other then the original
creator from writing to fifo files in /tmp.
https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp
<https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp>
I eventually got opensips-cli working by moving the opensips_fifo into
/var/run/opensip/ instead of /tmp and then setting up an
opensips-cli.cnf file that pointed opensips-cli to the new fifo path.
I don't fully undertand the reasons for protecting fifos in this manner
but I'm guessing that the intent is to prevent something other then the
intended application from creating the fifo first and then snooping in
to any data sent by client applications. Although the risk for something
like opensips-cli is probably minimal, I can see how this may present a
security risk for other applications.
This calls into question whether it is sensible to continue creating the
opensips_fifo within /tmp by default? Perhaps, for future versions, the
default should be in a directory owned by the opensips user (rather than
one with the sticky bit set)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210209/ac17594e/attachment.html>
More information about the Users
mailing list