Topic: Giving user www a shell.

[duncan]

I have been working on building sme packages for the Asterisk management portal project and have for the most part finished. I have a small problem in that the httpd owner (in this case www) needs a shell to run and update the Flash Operator Panel. Easy enough to do - however I am not sure of the security implecations in doing this.

I would appreciate any comment on the possible risks involved in doing this.

Regards Duncan

[guest22]

Hi Duncan,

I guess you are looking at a way to start/stop server.pl Have you considered trying this by using the asterisk manager to execute a system command?

guest

[duncan]

Hi Duncan,

I guess you are looking at a way to start/stop server.pl Have you considered trying this by using the asterisk manager to execute a system command?

guest

Hello,

AMP has a few hooks into FOP for adjusting its config files and reloading op_server.pl etc. Does everything automagically - however it needs to run as the httpd owner and does this via su (Has its own script - amportal). The docs suggest running httpd as asterisk:asterisk which doesnt work to well with SME.

Duncan

[chriskearns]

Hi Duncan,

I have installed AMP on a 6.01 SME server (by hand). I had the same issue, so I changed the httpd user to 'asterisk' with a custom template.

However, I would prefer to run asterisk as root, as that way it can take the -p parameter, to run in real-time.

Any idea what effect this would have on AMP? I presume it will have a problem reloading after a change to the AMP database.

[duncan]

I did in amportal

Code: [Select]

su - root -c "export PATH=$PATH:/usr/sbin && export LD_LIBRARY_PATH=/usr/local/lib && /usr/sbin/safe_asterisk -p"

All on one line. Seemed to work fine.

I wasnt keen on running httpd as asterisk - so I gave www a shell and changed some permissions around as well as starting FOP as www.

Curious to know if you patched asterisk for spandsp. I havnt had a chance to test it out yet.

Regards Duncan.

[chriskearns]

Thanks for the tip, I'll try it out.

No, i did'nt patch asterisk at all, just took the 1.0.5 .gz file and made a .rpm for it.

I understood that spandsp was purely for fax support, and as I didn't have a requirement, I didn't include it.

If you need anyone to test your AMP.rpm, I'll be glad to help!

[davidk]

Duncan, I am working on the same thing.  

I have modifed AMP and have it working with asterisk on a SME6.0.1 box.  I have patched a cvs version of asterisk with spandsp.  The computer has an X100P card which is happily differentiating between a fax and a voice call.  The faxes are being handled nicely (converted to pdf files and emailed as attachments to a designated user).  I have two Grandstream phones on the LAN VOIP system and they work nicely within the LAN and also dialing in and out through the X100P card.

I was also hacking around with user:group stuff for amp.  I changed it so that asterisk runs httpd and owns /var/www/html .  I know this is not the best solution.  I tried adding user asterisk to the share and www group instead but still there were permission problems.  

I also modifed amp to install in /var/www/html/amp rather than /var/www/html  This required making changes to a few amp files since the paths are hard coded in a couple files.

I think it is rather heavy handed that amp wants to own the httpd and /var/www/html ( I assume the idea is that they create a computer as a single purpose amp/asterisk server.  But still...)


I would like to collaborate with you on this to reduce redundancy and get a good working product.

Below is a somewhat messy list of the steps I took.

Installed on pbx( the hostname) for AMP (in this order)

cpp-2.96-113.i386.rpm
glibc-devel-2.2.5-44.i386.rpm
glibc-kernheaders-2.4-7.16.i386.rpm
gcc-2.96-113.i386.rpm
audiofile-0.2.3-1.i386.rpm
pkgconfig-0.12.0-1.i386.rpm
audiofile-devel-0.2.3-1.i386.rpm
bison-1.35-1.i386.rpm
kernel-source-2.4.20-18.7.i386.rpm
libtiff-3.5.7-2.i386.rpm
libtiff-devel-3.5.7-2.i386.rpm
ncurses-devel-5.2-26.i386.rpm
openssl-devel-0.9.6b-35.7.i386.rpm
zlib-devel-1.1.4-8.7x.i386.rpm
lame-3.96.1-1.0.rh7.dag.i386.rpm

Gotta install ghostscript for fax to email...
(order is important)
rpm -ivh XFree86-libs-4.2.0-8.i386.rpm
rpm -ivh Omni-0.5.1-3.i386.rpm
rpm -ivh XFree86-font-utils-4.2.0-8.i386.rpm
rpm -ivh XFree86-xfs-4.2.0-8.i386.rpm
rpm -ivh chkfontpath-1.9.5-2.i386.rpm
rpm -ivh ttfonts-1.0-9.noarch.rpm
rpm -ivh VFlib2-2.25.6-4.i386.rpm
rpm -ivh urw-fonts-2.0-17.noarch.rpm
rpm -ivh --nodeps ghostscript-fonts-5.50-3.noarch.rpm
rpm -ivh ghostscript-6.52-8.i386.rpm


Perl modules installed for AMP (in this order)
 
Net-Telnet-3.03.tar.gz  
IPC-Signal-1.00.tar.gz  
Proc-WaitStat-1.00.tar.gz
mime-construct-1.8.tar.gz
asterisk-perl-0.08.tar.gz  

For via boards the asterisk Makefile has to have PROC=i586 set or it won't work.

In the Opencall dsp software, spandsp ...
(T.31 is the class 1 FAX modem spec and that code is not complete).
In src/Makefile.am remove references to t31.c and build the library.

Create /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99AMPAccess

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/etc/e-smith/events/actions/restart-httpd-graceful

Change /var/www/html/amp/panel/op_server.cfg flash_dir parameter to...
flash_dir=/var/www/html/amp/panel

Change /var/www/html/amp/admin/vm_conf.php
$vmconf = '/var/www/html/amp/admin/voicemail.conf';

Change  /var/www/html/amp/admin/cdr/lib/defines.php
change WEBROOT and FSROOT

Changes to AMP for e-smith
change /etc/php.ini file  to find DB.php in /usr/share/pear
include_path            = ".:/usr/share/php:/usr/share/pear"

Should create custom template for...
/etc/e-smith/templates/etc/php.ini/50PathsDirectories:include_path


Dir seems to missing...

mkdir /var/lib/asterisk/sounds/custom
chown asterisk.shared /var/lib/asterisk/sounds/custom/


Change /var/www/html/amp/admin/retrieve_op_conf_from_mysql.pl
$sip_conf = "/var/www/html/amp/panel/op_buttons_additional.cfg";

Change /var/www/cgi-bin/vmail.cgi
$astpath = "/amp/_asterisk";

[duncan]

I have built all of the packages required as rpm so you really only need to install libtiff from that lot of dev tools.

The asterisk rpm needs a little work to give it ch_zap.so without requiring zaptel to be compiled and working on the system. The amp rpm needs some work to sort out permissions and owner issues.

I have modified extensions.conf to do away with the pdf attachments and have it send tifs instead. No need to add all the ghostscript stuff (I find pdfs to be cumbersome). I also set it up to make use of the customers TSI rather than caller id - which is more informative.

T.31 will not compile because gcc is lower than 3.0 - doesnt seem to be a problem though - just used the method you used to get it up and running. The faxing works well enough - though I did do some 20 page faxes (for testing) and managed to kill it - so I will need to test it some more before moving away from hylafax.

I have put this to the back burner for the moment - I do however have two large voip installs coming up in the next month (using Samsung iDCS product) and I am really keen to try set * up alongside for voicemail (no hardware - just Sip) so I will pick it up again around that time.

[davidk]

Duncan, would you care to share your work in progress with me and I can work on the areas that you have pointed out as needing attention?

I can move this forward while you are working on other projects.

Let me know.

David

[Skydiver]

I must note it is good to see Duncan working hard as always.

I tested this one Duncan on 6.01

http://www.asternic.org/

Has basic operator funtions and was easy enough to setup.

Cheers  

[dswillia]

Just checking to see if you had made any progress with a how-to or rpm for amp.  I installed the rpm for asterisk this morning, but would feel more comfortable with a config tool.

Regards

[enzom]

For via boards the asterisk Makefile has to have PROC=i586 set or it won't work.

A little trick for VIA CPU users who have to compile sources often: create a file /usr/local/bin/uname containing:

Code: [Select]


  #/bin/sh
  /bin/uname ${@} | sed -e s/i686/i586/g


...and chmod it as executable:

Code: [Select]



  chmod +x /usr/local/bin/uname


Every time a Makefile will execute "uname" to get the architecture, it'll invoke /usr/local/bin/uname which will correct any occurrence of "-i686" in /bin/uname's output into "-i586":

Code: [Select]


[root@emn opt]# uname -a
Linux emn 2.4.20-18.7 #1 Thu May 29 07:51:41 EDT 2003 i586 unknown
[root@emn opt]#


Enzo

[davidk]

Just checking to see if you had made any progress with a how-to or rpm for amp.  I installed the rpm for asterisk this morning, but would feel more comfortable with a config tool.

Regards

Hi.  I uploaded a version 1 of a How to guide for AMP on the SME Server.  You can check it out at...

http://no.longer.valid/phpwiki/index.php/How%20to%20install%20AMP%3A%20the%20Asterisk%20Management%20Portal

David K.

[duncan]

Looks good.

Some packages -> http://www.goldtel.com.au/amp/

[enzom]

Hi.  I uploaded a version 1 of a How to guide for AMP on the SME Server.  You can check it out at...

http://no.longer.valid/phpwiki/index.php/How%20to%20install%20AMP%3A%20the%20Asterisk%20Management%20Portal

David K.

I have followed a different approach: AMP running into its e-bay as user "amp", asterisk as user "asterisk" and Apache as user "www"; then all of them are placed into a common "astman" group. Here are the main steps (I might have forgotten some):

- Through the web server manager, create an "astman" group, with the Administrator part of it
-  Through the web server manager, create an "amp" i-bay, part of the "astman" group,
  with user access "read:group, write:group", Web access "Entire Internet (password required)"
  Execution of dynamic content "enabled"
- Manually (using vi) add the user asterisk to the group "astman" in /etc/group

Now the html and cgi-bin under /home/e-smith/files/ibays/amp/ (seen from the web as "http://.../amp/") are owned by root but part of the astman group which has rw rights.

Untar AMP to /usr/src/AMP and follow the rest of the instructions inside INSTALL but replace occurrences of /var/www/ with /home/e-smith/files/ibays/amp/ , both in the instructions and inside:

/home/e-smith/files/ibays/amp/html/admin/cdr/lib/defines.php
/home/e-smith/files/ibays/amp/html/admin/bounce_op.sh
/home/e-smith/files/ibays/amp/html/admin/retrieve_op_conf_from_mysql.pl
/home/e-smith/files/ibays/amp/html/admin/vm_conf.php
/home/e-smith/files/ibays/amp/html/panel/op_server.cfg
/usr/sbin/amportal
/etc/init.d/asterisk
 
Also, in /home/e-smith/files/ibays/amp/html/index.html change /cgi-bin into ./cgi-bin, panel into ./panel and admin into ./admin

Before running "/usr/sbin/amportal start" (which sets various permissions), in /usr/sbin/amportal change chown_asterisk() as follows:

Code: [Select]


chown_asterisk() {
echo SETTING FILE PERMISSIONS
chown -R asterisk:astman /var/run/asterisk
chmod ug+rw /var/run/asterisk
chown -R asterisk:astman /etc/asterisk
chmod ug+rw /etc/asterisk
chown -R asterisk:astman /var/lib/asterisk
chmod ug+rw /var/lib/asterisk
chown -R asterisk:astman /var/log/asterisk
chmod ug+rw /var/log/asterisk
chown -R asterisk:astman /var/spool/asterisk
chmod ug+rw /var/spool/asterisk
chown -R asterisk:astman /dev/zap
chmod ug+rw /dev/zap
chown asterisk /dev/tty9
#chown -R asterisk:asterisk /var/www
chmod ug+x /var/lib/asterisk/agi-bin/*.agi
chmod ug+x /home/e-smith/files/ibays/amp/cgi-bin/*.cgi
chmod ug+x /home/e-smith/files/ibays/amp/html/admin/*.pl
chmod ug+x /home/e-smith/files/ibays/amp/html/admin/*.sh
chmod ug+x /home/e-smith/files/ibays/amp/html/panel/*.pl
echo Permissions OK
}

Now solve the issue with PEAR, installed in /usr/share/pear which is out of the open_basedir defined in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/95AddType00PHP2ibays . Change:
    "php_admin_value open_basedir $basedir\n";
to
"php_admin_value open_basedir $basedir:/usr/share/pear\n";

Then issue:
      /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
      /etc/init.d/httpd restart

Finally, rename /etc/init.d/asterisk to /etc/init.d/asterisk-old and copy /usr/sbin/amportal to /etc/init.d/asterisk .

Enzo