Hello!
I want to use "asterisk -rx "show version"" from a php
script called in
the browser using the local apache, which runs as user "apache".
Asterisk is running as root.
I added the following line to /etc/sudoers using visudo:
apache ALL = NOPASSWD: /usr/sbin/asterisk
When i am on the command line of my linux box it looks like this:
--------------------------------------------------------
# sudo /usr/sbin/asterisk -rx "show version"
Asterisk 1.0-RC2 built by root@zrlin01.laureen.at on a i686 running
Linux
# sudo -u apache /usr/sbin/asterisk -rx "show version"
Unable to connect to remote asterisk
--------------------------------------------------------
"strace" showed me that there is an access problem with
"/var/run/asterisk.ctl":
--------------------------------------------------------
munmap(0xbf334000, 4096) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/asterisk.ctl"}, 110) =
-1
EACCES (Permission denied)
close(3) = 0
time([1094419366]) = 1094419366
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xbf334000
write(1, "Unable to connect to remote aste"..., 37) = 37
munmap(0xbf334000, 4096) = 0
exit_group(1) = ?
--------------------------------------------------------
System description:
Fedora Core 1
Kernel 2.4.22
Sudo 1.6.7p5
Apache httpd 2.0.50
Asterisk 1.0-RC2
Can anyone please help?
Thank you in advance!
Roland Zagler
mailto:r.zagler@fog.at
@fog smart partners
why not use a tcp socket and use the manager api and avoid the permission issues all together enable it in manger.conf and you connect over tcp log in and execute the command nice and cleanly in your application. There should be decent examples on voip-info.org On Sun, 5 Sep 2004 23:52:13 +0200, Roland Zagler <r.zagler@fog.at> wrote:> Hello! > > I want to use "asterisk -rx "show version"" from a php script called in > the browser using the local apache, which runs as user "apache". > Asterisk is running as root. > > I added the following line to /etc/sudoers using visudo: > > apache ALL = NOPASSWD: /usr/sbin/asterisk > > When i am on the command line of my linux box it looks like this: > > -------------------------------------------------------- > # sudo /usr/sbin/asterisk -rx "show version" > > Asterisk 1.0-RC2 built by root@zrlin01.laureen.at on a i686 running > Linux > > # sudo -u apache /usr/sbin/asterisk -rx "show version" > > Unable to connect to remote asterisk > -------------------------------------------------------- > > "strace" showed me that there is an access problem with > "/var/run/asterisk.ctl": > > -------------------------------------------------------- > munmap(0xbf334000, 4096) = 0 > socket(PF_FILE, SOCK_STREAM, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/asterisk.ctl"}, 110) = -1 > EACCES (Permission denied) > close(3) = 0 > time([1094419366]) = 1094419366 > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xbf334000 > write(1, "Unable to connect to remote aste"..., 37) = 37 > munmap(0xbf334000, 4096) = 0 > exit_group(1) = ? > -------------------------------------------------------- > > System description: > Fedora Core 1 > Kernel 2.4.22 > Sudo 1.6.7p5 > Apache httpd 2.0.50 > Asterisk 1.0-RC2 > > Can anyone please help? > > Thank you in advance! > > Roland Zagler > mailto:r.zagler@fog.at > @fog smart partners > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
Do not use "sudo -u apache", that switches to the apache user and runs the command "/usr/sbin/asterisk -rx "show version"". The asterisk command needs to be run as root, so your PHP script would exec "sudo /usr/sbin/asterisk -rx "show version"". <quote who="Roland Zagler">> Hello! > > I want to use "asterisk -rx "show version"" from a php script called > in > the browser using the local apache, which runs as user "apache". > Asterisk is running as root. > > I added the following line to /etc/sudoers using visudo: > > apache ALL = NOPASSWD: /usr/sbin/asterisk > > When i am on the command line of my linux box it looks like this: > > -------------------------------------------------------- > # sudo /usr/sbin/asterisk -rx "show version" > > Asterisk 1.0-RC2 built by root@zrlin01.laureen.at on a i686 running > Linux > > # sudo -u apache /usr/sbin/asterisk -rx "show version" > > Unable to connect to remote asterisk > -------------------------------------------------------- > > "strace" showed me that there is an access problem with > "/var/run/asterisk.ctl": > > -------------------------------------------------------- > munmap(0xbf334000, 4096) = 0 > socket(PF_FILE, SOCK_STREAM, 0) = 3 > connect(3, {sa_family=AF_FILE, path="/var/run/asterisk.ctl"}, 110) > -1 > EACCES (Permission denied) > close(3) = 0 > time([1094419366]) = 1094419366 > fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xbf334000 > write(1, "Unable to connect to remote aste"..., 37) = 37 > munmap(0xbf334000, 4096) = 0 > exit_group(1) = ? > -------------------------------------------------------- > > System description: > Fedora Core 1 > Kernel 2.4.22 > Sudo 1.6.7p5 > Apache httpd 2.0.50 > Asterisk 1.0-RC2 > > Can anyone please help? > > Thank you in advance! > > > Roland Zagler > mailto:r.zagler@fog.at > @fog smart partners > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >-- END OF LINE -MCP
On Sun, Sep 05, 2004 at 11:52:13PM +0200, Roland Zagler wrote:> Hello! > > I want to use "asterisk -rx "show version"" from a php script called in > the browser using the local apache, which runs as user "apache". > Asterisk is running as root. > > I added the following line to /etc/sudoers using visudo: > > apache ALL = NOPASSWD: /usr/sbin/asteriskThis should allow the user group known as "apache" to sudo to run the command "/usr/sbin/asterisk" (without any additional parameters). This is surely not what you want. Uless you want apache to be able to initiate starting an extra asterisk (or a DoS attack?) This is what you should put in sudoers: apache localhost = NOPASSWD: /usr/sbin/asterisk -rx 'show version' You should consider puting it in an external script if you feel that the command is getting too complex. And then you run it just as before, by executing "sudo /usr/sbin/asterisk -rx 'show version'" by the user apache. As for whether a direct tcp connection is better here: sorry: I have no idea. One thing, though: if you are afraid of any local user that can execute arbitrary code, that local user would be able to use the tcp interface in much nicer ways, right? -- Tzafrir Cohen +---------------------------+ http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend| mailto:tzafrir@technion.ac.il +---------------------------+
thats about the most unsecure thing I've ever seen. there is a reason you
don't run apache as root and therefore having a script that sudo's is
just
as bad.
try using the manager interface for better security. * shouldn't be running
as root either if we want to get nitty-gritty about security.
Matthew
----- Original Message -----
From: "Roland Zagler" <r.zagler@fog.at>
To: <asterisk-users@lists.digium.com>
Sent: Sunday, September 05, 2004 4:52 PM
Subject: [Asterisk-Users] Asterisk & sudo from httpd
Hello!
I want to use "asterisk -rx "show version"" from a php
script called in
the browser using the local apache, which runs as user "apache".
Asterisk is running as root.
I added the following line to /etc/sudoers using visudo:
apache ALL = NOPASSWD: /usr/sbin/asterisk
When i am on the command line of my linux box it looks like this:
--------------------------------------------------------
# sudo /usr/sbin/asterisk -rx "show version"
Asterisk 1.0-RC2 built by root@zrlin01.laureen.at on a i686 running
Linux
# sudo -u apache /usr/sbin/asterisk -rx "show version"
Unable to connect to remote asterisk
--------------------------------------------------------
"strace" showed me that there is an access problem with
"/var/run/asterisk.ctl":
--------------------------------------------------------
munmap(0xbf334000, 4096) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/run/asterisk.ctl"}, 110) =
-1
EACCES (Permission denied)
close(3) = 0
time([1094419366]) = 1094419366
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xbf334000
write(1, "Unable to connect to remote aste"..., 37) = 37
munmap(0xbf334000, 4096) = 0
exit_group(1) = ?
--------------------------------------------------------
System description:
Fedora Core 1
Kernel 2.4.22
Sudo 1.6.7p5
Apache httpd 2.0.50
Asterisk 1.0-RC2
Can anyone please help?
Thank you in advance!
Roland Zagler
mailto:r.zagler@fog.at
@fog smart partners
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users