[EMAIL PROTECTED] (Jeremy McNamara) writes: > Simon J Mudd wrote: > > >Using the LD_LIBRARY_PATH as you explain appears to be rather a hack. > > LD_LIBRARY_PATH is a standard Linux environment value, so complain to Linus.
I'm aware of what LD_LIBRARY_PATH is for (and that is works on various versions of UNIX), but my point was more from a safe installation point of view 1. pwlib and h323 libraries are from their own documentation "usefully" installed in $HOME/pwlib and $HOME/openh323 respectively. If these libraries have been installed by a non-root user and then you start asterisk as root, there is a _potential_ for this to be a security concern. In practice nothing may normally happen, but ... 2. The asterisk software when running make install, installs by default into /etc/asterisk and other [root owned] directories. This therefore assumes that the asterisk installation is to be run or started by root. If this is the case then IMO modifying LD_LIBRARY_PATH to include a non-root directory to include these libraries is unsafe, and if you want to ensure that you use non system/vendor/distribution -installed pwlib/h323 libraries that the location of these libraries should be under asterisk's control, but in a _safe_ (root owned) directory. Then again, it is quite possible that asterisk doesn't need to run as root, but can quite happily run as a standard user. If this is so then a good installation may require running as a non-root user which from a security point of view can ensure that any problems within asterisk can not lead to root exploits of the system. > >I wasn't sure WHY you frown so heavily on the vendor/distribution > >pwlib/h323 libraries (do they change that much or are different > >versions incompatible?) and as I hadn't installed these as packaged > >libraries I [safely] copied them to /usr/lib. > > They rename the libraries, have been known to make changes (which can > be argued both good and bad) and/or they haven't been updated in ages, > thus will not work properly with chan_h323 as we had to fix a few bits > of the H.323 stack. (the external rtp features) Ok. That's clear and understandable. I guess VoIP is rather lower on their list of priorities. FYI the reason I mention these things is that my background is using mail server software which in the past has been rather infamous for leading to root exploits of the system due to bugs [sendmail]. I've been an active member of the Postfix mailing list and the author has designed the software to ensure that this sort of problem is extremely difficult to produce on his software. One of the ways he does this is to ensure that both outside access to the application can't make the software _execute_ untrusted code and that internally the application can't be run in an insecure environment. The use of LD_LIBRARY_PATH in a well installed system thus struck me as beeing unsual which is why I asked. As you have seen I know next to nothing about VoIP and asterisk. I'm just trying to get a better understanding of how the software works. Thanks for taking the time to answer me. Simon -- Simon J Mudd, Postfix RPM Packager, Amsterdam, The Netherlands. email: [EMAIL PROTECTED], Tel: +31-627-592 627, http://postfix.WL0.org _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
