Not a problem if you lock down apache to specific IPs :) In fact, there are enough sip vulnerabilities from time to time that I put the phones themselves on either a private network (or controlled public netowork) or give them dyndns set ups and have a script auto update the iptables rules to those DNA names.
-Steve On Apr 5, 2013, at 7:02 PM, "S. Dale Morrey" <[email protected]> wrote: > You know, that's a very good question that I've never explored. Can anyone > chime in on that for me? Also is there a security problem with letting > Apache own the config files for Asterisk? > > > On Fri, Apr 5, 2013 at 7:29 PM, Jima <[email protected]> wrote: > >> On 2013-04-05 18:06, S. Dale Morrey wrote: >>> Hey Pluggers, >>> >>> I've got a quick best practices question for you. >>> >>> I have asterisk installed and running as the asterisk user and apache >>> installed and running as the apache user. >>> >>> I've got a new web interface that needs to execute some scripts to modify >>> asterisk dialplans, tell asterisk to reload itself, etc. >>> >>> Would it be best to add asterisk to the apache group, apache to the >>> asterisk group, both of the above or something else? >> >> Is there a reason Asterisk needs to be able to write to the tree? As >> long as it can read the configuration files, you don't really need to >> muck around with group ownership. Personally, I'd just grant the apache >> user the ability to reload Asterisk via sudo, and let it own the configs. >> >> Jima >> >> >> /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
