On Tue, 2008-10-28 at 17:19 -0400, Andy Spitzer wrote: > Woof! > > On Tue, 28 Oct 2008 17:09:45 -0400, Scott Lawrence > <[EMAIL PROTECTED]> wrote: > Woof Asked: > > What are you trying to protect against there? > > Scott answered: > > authentication is not authorization > > True statement--but it doesn't answer my question. > > What are you trying to protect against with this magic list of addresses > that can be used for configuration? Some rogue sipXconfig process that is > indavertantly off configuring other peoples machines?
Approximately, yes. There is only supposed to be one sipXconfig. If there is more than one, things will go wonky very quickly. Bear in mind that every system has the potential to be modified (even accidentally) such that it thinks it's the master. > A hacker who is > using the XML-RPC interface on a non-authorized machine that happens to > have the correct certs? No... if the hacker has access to good certs (or more specifically, to the private key parts of the good certs), they win. > Seems to me, if I've gotten far enough to get the certs, I can get far > enough to hand edit an ascii list of "authorized" IP addrs, or just change > the darn config files themselves. So it doesn't seem to add any > protection against rougues (that I can determine), yet it increases the > complexity and the chances of failure and locking valid changes out of the > system (as it did in my case). What happened to you is an upgrade problem (and a serious one). We have not yet put in all the functionality to deal with upgrade from the old scheme to the new one (we've been trying to get the new one to work). Sorry about that ... these things happen during development as you well know. The path you chose to recovery was quite a bit more complicated than I think it needed to be. It's not a reason to remove a basic system integrity check. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
