[improvement]: Security Hardening - Running Asterisk as non-root about asterisk HOT 8 OPEN

This is the first time you have mentioned at all that you have identified an actual exploitable method based on the security information and practices you've been talking about. Please use the Security Vulnerability report process of the project to privately report the details:

https://github.com/asterisk/asterisk/security/advisories/new

It will then be triaged, identified, scheduled, and a CVE issued when a release occurs.

A public Github issue is not the location to discuss any further detail.

from asterisk.

Also, 17 cases of 0777 world read/write/execute isn't great. Files like logs should probably be 744 for read only, and 755 for directories that need read+execute:
https://github.com/search?q=repo%3Aasterisk%2Fasterisk+0777&type=code

I don't think there is any usecase here for chmod 777, and the mis-usecase is tampering with sensitive log files and memory corruption. It would be great to see these updated along with #316 in a cumulative CVE and permissions-harding patch.

from asterisk.

Do I need to submit a PR and contact Mitre for a CVE? What is the next step here?

from asterisk.

The issue has been triaged, accepted, and is in queue. Unless you are familiar with Asterisk itself, I wouldn't recommend making changes because fundamentally altering behavior (such as not allowing root) even in this case is going to require discussion, research, and understanding all of the repercussions. If a CVE is warranted in some way then it will be requested when this work is undertaken.

from asterisk.

from asterisk.

@jcolp There is other software (such as VLC) which by default will not let you run it as root. A compromise could be to only allow Asterisk to run as root if the user passes a flag to allow to run as root even though it's highly not recommended.

from asterisk.

@dovi5988 Yes, there are options and possibilities.

from asterisk.

@jcolp Sorry for the delay on the writeup, I am installing the latest version and getting a proper writeup so that we can have a good discussion.

@dovi5988 A security override this doesn't bother me, I have seen this in other products. As long as it defaults to a safe condition and writes in the log each time that it is deployed in an insecure way - then there isn't a chance of a silent bug. The point of the log write is for a large organization that uses ELK or another log management system, they can track security anomalies, and this fits. The security team may not be aware of how the VOIP team deployed or reconfigured Asterisk, so this makes sure that the organization is aware of the risk, and a descriptive warning message in the log file can do this.

from asterisk.