[Asterisk-Users] HELP NEEDED! - Asterisk GUI

Tzafrir Cohen tzafrir at cohens.org.il
Fri Feb 25 08:25:23 MST 2005 

Hi

On Thu, Feb 24, 2005 at 11:41:41AM +0100, Hecken, Guido wrote:
> >Secondly, is the statement no.2 a line a need to change in a given file?
> You have to change/verify some settings in phpconfig_init.php . 
> Look for fakeuser=admin.
> Set $reset_cmd = "./asterisk.reload";
> Be shure, the script has write access in /etc/asterisk
> Have something in your sudoers file (/etc/sudoers) like
> apache ALL=(ALL)        NOPASSWD: ALL

Why not simply run apache as root and be done with that?

Adding the following line to sudoers makes apache root-equivalent. Any
attacher that is able to compromise apache gets your whole server.

> to allow apache execute system commands like asterisk -r -x 'restart now'
> 
> Another important file is the manager.conf in /etc/asterisk
> [general]
> enabled = yes
> port = 5038
> bindaddr = 0.0.0.0
> 
> [admin]
> secret = secret
> permit = 192.168.0.0/255.255.255.0
> read = system,call,log,verbose,command,agent,user
> write = system,call,log,verbose,command,agent,user
> 
> With these settings enabled, it should work.
> Be aware, this is not a secure solution since allowing apache to execute
> system-commands, and using the asterisk-web-dir (/var/www/html/asterisk)
> without any further security actions like .htaccess file should only be used
> in trusted  environments like intranets.

Furthermore: anyone who can add arbitrary entries to your dialplan can
use System to make apache run an arbitrary command. If you run asterisk
as root (which you shouldn't) this gives the attacker a convinent root
shell access. If not: it will only give the attacker the opportunity to
run an arbitrary command as the asterisk user.

If you want to edit an arbiterary config file, use ssh. It is a
well-tested, well understood and well-supported environment. Either edit
directoly from the shell (you can't really bit vim ;-) ), or use an
external X server and a more comfortable editor, or simply edit files
via sftp.

> We can live with these restrictions. In the meanwhile we 're testing and
> evaluating the complete asterisk configuration from within mysql.

Not much better, security-wise. I figure that the password to a mysql
account with ability to write to the config (and specifically to the
dialplan) will be availble in a certain location. So apache still has
the ability to change the dialplan.

Consider using su-exec (and php in cgi) to run the configuration
interface as the user asterisk or a special user.

-- 
Tzafrir Cohen         | New signature for new address and  |  VIM is
http://tzafrir.org.il | new homepage                       | a Mutt's  
tzafrir at cohens.org.il |                                    |  best
ICQ# 16849755         | Space reserved for other protocols | friend

More information about the asterisk-users mailing list