[OpenSIPS-Users] opensips-cli and /tmp

Gregory Massel greg at switchtel.co.za
Tue Feb 9 02:55:24 EST 2021

I struggled for quite some time to get opensips-cli working on Ubuntu 
20.04 LTS.

It seems that there are now some security protections within the Linux 
kernel (|fs.protected_fifos) |against users other then the original 
creator from writing to fifo files in /tmp.


I eventually got opensips-cli working by moving the opensips_fifo into 
/var/run/opensip/ instead of /tmp and then setting up an 
opensips-cli.cnf file that pointed opensips-cli to the new fifo path.

I don't fully undertand the reasons for protecting fifos in this manner 
but I'm guessing that the intent is to prevent something other then the 
intended application from creating the fifo first and then snooping in 
to any data sent by client applications. Although the risk for something 
like opensips-cli is probably minimal, I can see how this may present a 
security risk for other applications.

This calls into question whether it is sensible to continue creating the 
opensips_fifo within /tmp by default? Perhaps, for future versions, the 
default should be in a directory owned by the opensips user (rather than 
one with the sticky bit set)?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210209/ac17594e/attachment.html>

More information about the Users mailing list