Skip to main content

Incorrec File / Directory permissions are being applied to tenants

Posted by douglas.ross on Tue, 05/08/2012

If new Tenants are being created, the Voicemail Directory is being created with 'root.root' permissions. Then when Asterisk tries to use this directory to create voicemails for the extension it gives an error message saying that it cannot write the directory because Asterisk does not own it.

If I change the ownership of the voicemail directory to 'asterisk.asterisk' then all works.

Error that was given:
[2012-05-02 09:04:01] WARNING[20186]: app_voicemail.c:1696 create_dirpath: ast_mkdir '/var/spool/asterisk/voicemail/default-SuperiorCabinet/2000/tmp' failed: Permission denied

Permission of the directory:
drwxr-xr-x 3 root root 4.0K Mar 27 15:48 default-SuperiorCabinet

After changing the permissions:
drwxr-xr-x 4 asterisk asterisk 4.0K May 2 09:18 default-SuperiorCabinet

It now works:
-- x=0, open writing: /var/spool/asterisk/voicemail/default-SuperiorCabinet/2000/tmp/bBjcwB format: wav49, 0x7f315ddd2088

What should I do to ensure that it works in the future without manually changing the permission?

Thank you


Submitted by eeman on Tue, 05/08/2012 Permalink

your easiest solution is to re-configure asterisk to run as user 'root' instead of asterisk. This is actually the preferred method digium recommends and you'll be able to use more system resources than an unprivileged user.

Submitted by eeman on Thu, 05/10/2012 Permalink

then I mean this with complete sincerity.. your boss is an idiot who doesn't understand the first thing about phone system security. If he thinks some asshead, spamming online pharmacy erection pills, is his biggest security risk; then he should NOT have the job he does. You don't need root access to cause the sort of damage that results in $10,000 USD in international fraudulent calls that happen inside 36hrs of exploit. That's the sort of security he should focus on. There is zero chance someone is going to race-condition asterisk in order to install a email spam platform. Not when 10k can be made in a day and a half with much less effort. Feel free to pass my opinion on.

Digium, intends asterisk to run as root. THAT'S WHY IT COMPILES TO RUN AS ROOT. Changing it to run as non-root was the departure from spec. Otherwise the damn thing would install as another user by default. Instead great work-arounds had to be employed to pull that off. It wasnt about security but pairing the user with apache's process for apache based web applications. Your boss needs to RTFM and STFU when he doesnt know what he is talking about. Running as root is NOT some kind of band-aid work-around. It's the INTENDED state.

Switchvox also does not run as an unprivileged user. The last time I broke into bash shell on switchvox I discovered they specially compiled apache to run as root instead so as to maintain root level permissions to the asterisk process.

looks like your boss has elected for you to have to restart asterisk every hour to re-run the permission flushing script at startup. Hope your customers do not like dropped calls.

Submitted by ourpbx on Mon, 05/28/2012 Permalink

Hi,

I am using licensed Thirdlane mulit-tenent software and I am having similar problem, whenever i am creating new extension it is by default getting permission with root:root. when it is assigned as root:root it is not letting the user to drop the voice mail.

I would really appreciate if you can give steps to resolve this problem.

Thanks

Ram

Submitted by douglas.ross on Mon, 05/28/2012 Permalink

Changing the permission of asterisk would work like Erik said, but we just created a cron job to change the permission of the voicemail directory and its contents to asteriks.asterisk

Submitted by eeman on Tue, 05/29/2012 Permalink

I SERIOUSLY suggest you NOT run asterisk as user 'asterisk'. There is an actual in-the-wild script being exploited that is allowing users to download your sip.conf file and make illegal calls from your server. Since Apache and Asterisk are both running as user 'asterisk'... the user types this into the URL of their browser..

https://ip.of.your.mte/vtigercrm/modules/Settings/SettingsAjax.php?file=../../../../../../../etc/asterisk/sip.conf%00

you will be presented with the contents of your sip.conf file including all the extension passwords. This is because the apache's running user has full access to read/write/modify your asterisk files.. BAD IDEA. douglas.ross' boss is going to cost his company tens of thousands of dollars because he 'doesnt want to run asterisk as root'. Which is going to result in the exact OPPOSITE result that he was hoping to prevent.

my advice is to eliminate vtigercrm off of your machine, change apache's running user back to user 'httpd' not 'asterisk' and run asterisk as user 'root'. VtigerCRM is not the source of the problem, its simply a catalyst. Any canned php software is just as likely to cause this issue. Its very possible that munin has hidden problems waiting to be exploited as well. It is a bad idea to let the web browser have the same permissions as the asterisk configuration directory. This sort of exploit is rampant in the Trixbox/Elastix world right now due to its design.

this evidence was taken from another ITSP's system that was, in fact, exploited just 5 days ago by a host in italy, and 2 days later 40k calls were initiated from france running a credit card scam.