asterisk dapper.2114_to_dapper.2234 diff
diego.iastrubni at xorcom.com
Tue Aug 8 05:40:31 UTC 2006
On Tuesday 08 August 2006 00:51, Kilian Krause wrote:
> > > > -#chmod -R 0664 /etc/asterisk/
> > > > +#chmod -R 0660 /etc/asterisk/
> > >
> > > This one should certainly be enabled, I suspect!
> > Does anyone needs to read this dir outside of the "asterisk" familiy? ->
> > 660 IMHO 664 is enough, but who knows...
> well, if you code your VoIP-account data into extensions.conf you'd want
> some whatsoever unprivileged www-data account to be able to read it?
> That way any whatsoever mislead php script could read that to the public
> worst case. So, the 660 is probably a good idea. 640 might be even
> better, but that's a matter of definition of the setup (i.e. who is
> admin). Most probably the public will find 660 more convenient.
Just to be precise:
destar (http://destar.berlios.de/) modifies and
parses /etc/asterisk/extensions.conf directly. It does not need it's own
On the other hand, freePBX/AMP (http://freepbx.org), have 3 set of
* static files with hooks
* additional hooks
* custom hooks
The www interface, writes directly into the additional hooks and does not try
to parse the static files. It assumes that the extesions.conf will include
extensions_additional.conf, sip_additional.conf, iax_additional.conf.. etc,
and will write the modifications into those files, and then ask asterisk to
"reload" via the manager.
The custom hooks are never modified by the GUI and are left for use
customizations. They are not part of the update (and are not even on the
package, to prevent problems on upgrades).
Both fontends (GUIs whatever...) mandate that the web server (apache) will be
run as the asterisk user to modify those files. We (Xorcom) hacked around and
managed to keep the apache running as www-data, by adding the user to the
"asterisk" group, and making all files writable by the group. I am aware that
this just makes the problem bigger (now more people, applications) can mess
up more files more easily.
Note that also ARI (Asterisk Recording Interface,
http://www.littlejohnconsulting.com/ari) also needs write access at least
to /etc/asterisk/voicemail.conf, but this issue is going to be addressed
soon. We are hoping to get into a situation in which ARI (again, PHP code
running from the www-data context) connect to the asterisk manager, then ask
it to modify the voicemail of extension ###. This way at least one package
will not need direct access to the file system, see Tzafrir's message with
topic "voicemail.conf in asterisk" from yesterday. (security issues later...)
I have been talking with the developers of freePBX to address the needs of
having the www server running as "asterisk". The available solutions are:
1) Having another daemon which will listen on TCP/Unix sockets and PHP will
ask it to call the retrieve scripts (which read the configuration from mysql
and write them back to the file system). That daemon will run with write
access to /etc/asterisk/*.
2) Run the retrieve script with sudo. This way only one single command will
have write access to those directories.
3) having only the additional files www-data writable, but still the asterisk
directory needs to be writable by that user (or use another sub
dir /etc/asterisk/additional with www-data write permissions...?)
(1) is not a good idea. PHP coders will not code a good solid daemon, period.
(2) will have other problems, I am sure.
(3) has not been tested yet, might work
Which leads me to (4): I listen to your suggestions ;-)
Sorry for the long mail, I will try to keep them shorted in future.
More information about the Pkg-voip-maintainers