asterisk dapper.2114_to_dapper.2234 diff

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Aug 8 06:01:12 UTC 2006 

On Tue, Aug 08, 2006 at 08:40:31AM +0300, Diego Iastrubni wrote:
> On Tuesday 08 August 2006 00:51, Kilian Krause wrote:
> > Diego,
> >
> > > > > -#chmod -R 0664 /etc/asterisk/
> > > > > +#chmod -R 0660 /etc/asterisk/
> > > >
> > > > This one should certainly be enabled, I suspect!
> > >
> > > Does anyone needs to read this dir outside of the "asterisk" familiy? ->
> > > 660 IMHO 664 is enough, but who knows...
> >
> > well, if you code your VoIP-account data into extensions.conf you'd want
> > some whatsoever unprivileged www-data account to be able to read it?
> > That way any whatsoever mislead php script could read that to the public
> > worst case. So, the 660 is probably a good idea. 640 might be even
> > better, but that's a matter of definition of the setup (i.e. who is
> > admin). Most probably the public will find 660 more convenient.
> 
> Just to be precise:
> 
> destar (http://destar.berlios.de/) modifies and 
> parses /etc/asterisk/extensions.conf directly. It does not need it's own 
> asterisk-config package.
> 
> On the other hand, freePBX/AMP  (http://freepbx.org), have 3 set of 
> configuration files:
> 
> * static files with hooks
> * additional hooks
> * custom hooks
> 
> The www interface, writes directly into the additional hooks and does not try 
> to parse the static files. It assumes that the extesions.conf will include 
> extensions_additional.conf, sip_additional.conf, iax_additional.conf.. etc, 
> and will write the modifications into those files, and then ask asterisk to 
> "reload" via the manager.
> 
> The custom hooks are never modified by the GUI and are left for use 
> customizations. They are not part of the update (and are not even on the 
> package, to prevent problems on upgrades).
> 
> Both frontends (GUIs whatever...) mandate that the web server (apache) 
> will be  run as the asterisk user to modify those files. 

destar runs its own separate daemon rather than running from a separate 
httpd. That daemon uses runs as asterisk.

Which also raises another, slightly more complicated solution:

a seaparate httpd that will run as asterisk and will be proxied by the
original apache.

Alternatively: rely on the SUID capabilities of apache. But I have not
been able to set this so far. And it is only useful for CGIs, not for
mod_php.

> We (Xorcom) hacked around and 
> managed to keep the apache running as www-data, by adding the user to the 
> "asterisk" group, and making all files writable by the group. I am aware that 
> this just makes the problem bigger (now more people, applications) can mess 
> up more files more easily.
> 
> Note that also ARI (Asterisk Recording Interface, 
> http://www.littlejohnconsulting.com/ari) also needs write access at least 
> to /etc/asterisk/voicemail.conf, but this issue is going to be addressed 
> soon. We are hoping to get into a situation in which ARI (again, PHP code 
> running from the www-data context) connect to the asterisk manager, then ask 
> it to modify the voicemail of extension ###. This way at least one package 
> will not need direct access to the file system, see Tzafrir's message with 
> topic "voicemail.conf in asterisk" from yesterday. (security issues later...)
> 
> I have been talking with the developers of freePBX to address the needs of 
> having the www server running as "asterisk". The available solutions are:
> 
> 1) Having another daemon which will listen on TCP/Unix sockets and PHP will 
> ask it to call the retrieve scripts (which read the configuration from mysql 
> and write them back to the file system). That daemon will run with write 
> access to /etc/asterisk/*. 

The current destar package can serve as a model for that,
permission-wise. astmanproxy is missing...

Alternatively send simpler commands to a pipe.

> 
> 2) Run the retrieve script with sudo. This way only one single command will 
> have write access to those directories.
> 
> 3) having only the additional files www-data writable, but still the asterisk 
> directory needs to be writable by that user (or use another sub 
> dir /etc/asterisk/additional with www-data write permissions...?)
> 
> (1) is not a good idea. PHP coders will not code a good solid daemon, period. 
> (2) will have other problems, I am sure.
> (3) has not been tested yet, might work
> 
> Which leads me to (4): I listen to your suggestions ;-)

For all the above I find it complicated to devise an interface that
is useful enough and yet does not allow the caller (e.g: the original
www-data script) the full permissions of the user asterisk.

Basically anybody who can inject arbitrary dialplans to Asterisk has
a good control over that user. Specifically one can use System() to
practically make Asterisk run an arbitrary command (as the Asterisk
user).

-- 
Tzafrir Cohen         sip:tzafrir at local.xorcom.com
icq#16849755          iax:tzafrir at local.xorcom.com
+972-50-7952406          jabber:tzafrir at jabber.org
tzafrir.cohen at xorcom.com     http://www.xorcom.com

More information about the Pkg-voip-maintainers mailing list