Hello,
On 30.11.17 21:39, Robert wrote: > Hello Daniel, > > Sincere apologies for the tardy reply! There are lots of challenges > I’ll face, but fortunately I only need to secure the application, it > is for others to worry about preventing platform access etc. (but on > the hardened OS, I’d be amazed if gdb was available ;). kamailio is usually started as root to read protected files like kamailio.cfg as well as create control files/sockets and then switches to unprivileged user (e.g., kamailio). If one gets the root, installing gdb or other tools won't be a big deal ... Cheers, Daniel > > The -f - solution may be what is the best approach. > > Thank you. > > Robert. > >> On 17 Nov 2017, at 10:24, Daniel-Constantin Mierla <mico...@gmail.com >> <mailto:mico...@gmail.com>> wrote: >> >> Hello, >> >> just remembered that a while ago I added support for the config file >> name '-' (dash/minus char) which means kamailio reads the config from >> standard input. This can be used to direct content of the >> kamailio.cfg from a safe system. For example, if one stores the >> config file on a web server, can do: >> >> curl https://myserver.com/kamailio.cfg | kamailio -f - >> >> It can be a webserver asking for password. >> >> In the context of keeping it encrypted, there can be a tool that >> fetches and decrypts kamailio.cfg content and prints it to the >> standard output. >> >> Using this, not even kamailio.cfg needs to be saved on the local disc. >> >> On the other hand, as I said in a previous response, if an untrusted >> person gets access with root privileges, then it can attach to a >> running kamailio process with gdb and read from memory. >> >> Cheers, >> Daniel >> >> >> On 17.11.17 08:02, Jurijs Ivolga wrote: >>> Hi Robert, >>> >>> I'm not security expert and I'm quite new in docker, but I think >>> password in Docker container which will be in clear text saved >>> somewhere should not be a problem, as far as you do not save this >>> password to image or git and etc... >>> >>> I think best way for you is to use docker secret and generate then >>> config file for Kamailio using this docker secrets and then start >>> Kamailio and for all of this you need to write some kind of >>> Entrypoint script. Here is example how something similar do Homer >>> Sipcapture, they set environment variables in docker-compose and >>> then generate config file based on this, but you can use probably >>> docker secrets instead of environment variables: >>> >>> https://github.com/sipcapture/homer-docker/tree/master/kamailio >>> >>> I found one more interesting link regarding docker secrets: >>> >>> https://blog.mikesir87.io/2017/05/using-docker-secrets-during-development/ >>> >>> With kind regards, >>> >>> Jurijs >>> >>> On Thu, Nov 16, 2017 at 11:58 PM, Robert <rob...@vooey.co.uk >>> <mailto:rob...@vooey.co.uk>> wrote: >>> >>> That’d presumably leave the clear text footprint I'm trying to >>> avoid, albeit in a non-Kamailio file. I’ve made a start on an >>> approach to read from a file, Docker secrets are basically just >>> files, but the Docker platform handles them securely. >>> >>> Thanks - Robert... >>> >>> > On 16 Nov 2017, at 21:46, Bastian Triller >>> <bastian.tril...@gmail.com <mailto:bastian.tril...@gmail.com>> >>> wrote: >>> > >>> > isn't using a group in the db URL an option? Generate some .cnf in >>> > /etc/mysql/conf.d (or where MySQL searches its configuration in a >>> > Docker container) from the secret and use the group in your db >>> URL in >>> > kamailio.cfg. >>> > >>> > >>> http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419 >>> >>> <http://www.kamailio.org/docs/modules/5.0.x/modules/db_mysql.html#idp419> >>> > 97212 >>> >>> >>> _______________________________________________ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> >>> >>> >>> >>> >>> _______________________________________________ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> -- >> Daniel-Constantin Mierla >> www.twitter.com/miconda -- www.linkedin.com/in/miconda >> Kamailio Advanced Training - www.asipto.com >> Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com >> _______________________________________________ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
