Security. There are many considerations when running programs which are accessible through a web server, especially when the server is publicly accessible (through the internet). It is much more likely that someone will happen upon your networked machine than it is that they will hit upon it war dialing (successively calling many phone numbers looking for a machine) and it is easier to feed it strange input through a tcp socket than through a dtmf phone pad. VOCPweb was written with security in mind since day one and I believe it is quite safe to use - the problem is that I am certain that this is what the Sendmail, BIND etc. etc. authors also thought ;) It is therefore important to consider security issues and act approprietly when seting up CGIs, such as VOCPweb. There are two methods you may choose from when doing the VOCPweb setup, each of which has its own advantages and disadvantages that address a specific situation: - Running as the webserver - Running suid (set uid) Running as the webserver. Running the program with the uid of the webserver is safest in general and is the procedure to follow if your program will be accessible from computers off the premises. It is also the recommended installation method. The problem here is that the message files (which by default are only readable by the user) must be made readable to the web server process. Pros and cons: Pros The program runs as the webserver - a user with minimal access/control over the system - so any discovered vulnerabilities (in the program or perl itself) which would allow the malicious user to act on the host machine will have little effect. Running as the webserver makes finding security holes in the cgi less attractive, so malicious users will focus more on Sendmail, locale vulnerabilities or whatever more than they will on VOCPweb anyway. Cons All messages must be readable by the webserver process (this does not mean that they must be readable by everyone on the 'net, though). You cannot use the Delete message function when running this way, since the message files are owned by the box owner. The boxes.conf file (which holds box configuration information) must also be readable by the webserver. This means that vulerabilities in the program or other means (like allowing a malicious user to install a cgi that also runs as the webserver) might allow someone to read all the message files - a breach in privacy - or even see the box configuration file. Normally, the messages in the incoming directory (/var/spool/voice/incoming, by default) are not within the webserver accessible directories so it is not possible to simply do something like http://www.yourcomputer.com/some/path/message.rmd to download the messages and they are quite safe. The same holds true for the box configuration file. The only exceptions are - cases where malicious users have access to the machine (to become the user nobody or set up a cgi that will) and - cases where users choose to "Embed" sound files in the pages - these files must be retrievable through a url and thus are accessible to the world. It is safest to avoid this and simply download the messages but the webserver accessible versions of embeded messages are destroyed by VOCPweb when the user logs out. Running suid. In cases where VOCPweb will not be accessible to the outside world (say it is inside a firewall on the company LAN) and your top priority is ensuring that members of the company never hear an other employee's messages, you may set VOCPweb such that it runs setuid. In this case, the programs starts as the root user, switches to the webserver user for normal operation and, when it needs to access a file which is readonly by the box owner, it changes it's uid to that of the box owner (as long as it is not root) performs the operation and promptly changes it's uid back to that of the webserver. Pros and Cons Pros You need not make all the message files readable by one user (the webserver) - Users need to be either the box owners or root to read the files at all times. The webserver process can not read the boxes.conf file, so your box config is safe from other people's cgi programs. Cons This program is running suid root! Although all precautions have been taken - and the program swaps its id from root to less threatening uids like the webserver's - any vulnerability with the program or even with the perl executable (which is written in C) means big bad news for your machine, leading to (in the worst case) giving root superuser powers to the malicious black hat. This would not be so good. The program was written as if it were to be used running setuid and every precaution has be taken. This is still not the recommended method for running VOCPweb - here are some alternate suggestions: - Run the program on a host which does not allow users to upload arbitrary CGIs - this will keep the messages safe from other webserver processes and allow you to avoid running it suid. - If what you are worried about is some other means of gaining the webserver id, plug those holes up - just because the user is 'nobody' doesn't mean anybody should be granted that uid :) - and thus avoid running VOCPweb suid. General notes Every precaution has been taken to protect the cgi from user input (taint checking and such) but for added security file deletions are disabled. For message deletion to function, the cgi must be running setuid (as these are owned by the box owner) and you must explicitly enabled file deletions for the function to be available to users. It is recommended that you only allow deletes from the telephone interface. Make sure you set the directory within which the VOCPweb cgi is installed is password protected (through the webserver config or with a .htaccess file) and change the password(s) once in a while. The cgi uses cookie based authentication. These cookies are only valid within the current hour, so stolen cookies won't work for long. However, if the login process is sniffed by a third party they will gain the box number and associated password. It is therefore preferable to encrypt the entire session to protect the password and the privacy of the transmitted messages through SSL. When this is done, ensure that users use the correct URL to access the messages (https://...).