[Freeswitch-users] context="public" on profiles in default configand why!
Michael Collins
mcollins at fcnetwork.com
Thu Jul 24 23:39:17 PDT 2008
> Recently a bug has been opened on the default config because the
> context on all the profiles are set to "public". Let me take a few
> moments to clarify WHY its like this.
Hehe, security as a forethought should never be considered a bug!
>
> The internal profile is the one setup in the default configuration for
> users to register with. If you notice each user has a "user_context"
> variable on them. If you register to FreeSWITCH and auth your context
> is set to the value of user_context during that call. Now here is the
> reason I choose to have public as the context on the internal
> profile.... If for any reason you turn off auth or mess up your config
> and users no longer auth but are able to get in and the context is set
> to public that keeps people from bypassing any security and accessing
> your dialplan that should only be accessed by authenticated users....
> ie toll fraud.
For the sake of clarification and my own understanding I'd like to
confirm something: when we say "public context" we are referring to the
context that is the least trusted, not unlike the public side of your
Internet firewall. (A deliberately imperfect but easily understood
analogy.)
Another way of looking at it is this - if the internal sip profile
defaulted to the "default" context (i.e. the "trusted" context if you
will) then *anybody* in the internal profile would be able to dial out
and like Brian said, that's ripe for toll fraud.
Those who may disagree with the default setting of the context value in
the internal sip profile can go through this arduous task to "fix" the
problem:
Step 1: open conf/sip_profiles/internal.xml in text editor
Step 2: change value="public" to value="default", save file
Step 3: wipe the sweat off your brow - that was some hard work you just
accomplished while trying to overcome Brian's crazy paranoia!
Oh, and don't forget to restart FS or do the reload thing which I think
is:
sofia profile internal restart reloadxml
(someone correct me if that's wrong)
>
> Hope this clarifies that choice in the defaults.
Yes, it makes perfect sense. The default, out-of-box config is set up
not to have an obvious security hole. If people want that hole they can
follow steps 1-3 above and be ready to go in a jiffy.
-MC
>
> Thanks,
> Brian West
> sip:brian at freeswitch.org
>
>
>
>
> _______________________________________________
> Freeswitch-users mailing list
> Freeswitch-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
More information about the FreeSWITCH-users
mailing list