[asterisk-dev] Academic Asterisk Adventure

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Jan 2 22:54:51 MST 2007


Nice projects!

See reply inline,

On Tue, Jan 02, 2007 at 09:06:12PM -0500, Shawn Van Every wrote:

> Many of the issues that we ran into were a direct result of running  
> PHP for both AGI scripting in Asterisk and normal web development  
> with Apache. PHP’s safe mode and SE linux contributed to these  
> difficulties.
> 
> The problem is that Asterisk was running as the “asterisk” user and  
> Apache was running as a different user. PHP safe mode was relaxed to  
> allow the group to execute the files but this still threw many of us  
> for a loop several times.
> 
> I don’t want to whine about this too much as it is what was available  
> and we just had to deal with it. One thing that might help would be  
> to enable suexec within Asterisk so that AGI scripts could run as the  
> owner of the script. This, I believe is how Apache can be setup to  
> handle things and would go a long way towards alleviating many of the  
> issues we had with both security and usability.

suexec has a very ctrict security model and heavily relies on
public_html. And anyway, even of the external half of the script will
run as the user, an AGI script is not a one-shot process like a CGI
script:

an AGI process can control the flow of an Asterisk channel. So even if
is not running as the user Asterisk, it stil runs Asterisk and has
almost the same powers as any arbitrary dialplan. 

> 
> The next major problem we had was in developing dialplans and editing  
> other Asterisk configuration files. At first, I setup an extensions  
> file for each student that was included (using #include) in the main  
> Asterisk extensions.conf file. Unfortunately, we ran up against a  
> hard limit to the number of includes that Asterisk would handle and  
> half of the files never got included.

I never ran into this. I had a config file for Asterisk that for a silly
reason #include-d subdir/*.conf and that subdir had more than 20 files
(aleit short). 

Could you please give a minimal configuration that breaks #include ?

> 
> To alleviate that problem, I put together a PHP script and a shell  
> script that would cat together all of the extension files that needed  
> to be included. These scripts also took care of issuing the reload  
> command to the asterisk manager interface. 

Wow, why not use #exec instead of an external script, then?

> This worked reasonably  
> well but didn’t have any error checking so that if one user’s  
> extensions file had errors or if they used a context that was named  
> the same as another user problems would arise.

That' asterisk's job. However Asterisk is not well-designed for
multi-user setup. 

> 
> This is probably a harder problem to solve in the current design of  
> Asterisk. I am interested in hearing other’s thoughts on how these  
> problem could be solved. My thoughts are that Asterisk could somehow  
> take some pointers from Apache and allow individual users to have a  
> set of configuration files that get included at run time when their  
> extension is entered. Something similar to the concept of a  
> public_html directory. Asterisk when told to go to a specific user’s  
> context would look in a specific directory and include the dialplan  
> from there.

Technically implementing that wouldn't be such a problem, I guess. But I
don't see the point in it.

Asterisk is not designed for a muti-user setup. public_html is designed
to let apache serve the user's files. User's configuration to Asterisk
is closer to not only allowing CGI scripts from public_html, but also
php (unlimited arbitrary code in the context of the web server. Ignore
safe_mode for now).

If you can inject an arbitrary dialplan you can easily:

1. Get Asterisk into a loop

2. Get Asterisk to run an arbitrary command as the user Asterisk
   (through System or AGI)

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir


More information about the asterisk-dev mailing list