FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)

Good to know :smile:
Thanks.

This actually means that asterisk is running as root and not the aaterisk user. This is why a cli reload works but the gui doesn’t. PIAF was distributing a version that had asterisk running as root for a good month and didn’t seem to think it was a big deal

@tm1000

Woah… that’s not good. Is there a way to change that?

http://pbxinaflash.com/community/index.php?threads/asterisk-runs-as-root.17404/

Though it’s a security issue it was never publicly announced. Leaving users like you in the dark

@tm1000

Thank you for that. I’ll try the steps there when the server is not being used tonight :astonished:… I am more convinced to change to a FreePBX Distro now…

1 Like

The fix is to run the following through terminal:

Tried the fix tonight and it worked! Thanks, @wardmundy :)… Just for reference for anyone else… here’s the code you need to run.

amportal kill chown -R asterisk:asterisk /var/run/asterisk sed -i '/END INIT INFO/a AST_USER="asterisk"\nAST_GROUP="asterisk"' /etc/init.d/asterisk sed -i 's|exit 0|/usr/local/sbin/amportal restart\nexit 0|' /etc/rc.local amportal restart sed -i 's|;runuser|runuser|' /etc/asterisk/asterisk.conf sed -i 's|;rungroup|rungroup|' /etc/asterisk/asterisk.conf reboot

If ‘amportal kill’ does not work, then ‘amportal stop’ should do the trick and continue with the rest of the commands. Hopefully this helps anybody out there :sunglasses:

For the record @gforceco, you’re running Asterisk 12 which is no longer supported. In evaluating the dangers of various distros, you probably should consider the source of the advice and who acknowledged a root exploit of the FreePBX Distro just three short weeks ago. Then ask yourself how that could happen if the FreePBX Distro weren’t running with root user privileges. The difference is that the FreePBX Firewall not only didn’t protect FreePBX, but it was the actual cause of the root compromise. In contrast, the firewall available for PIAF and Incredible PBX runs INDEPENDENTLY of Apache and its web GUI which is generally a good idea when it comes to firewalls. Otherwise, the whole house of cards comes down (as it did) when any single piece fails.

I’ve manually unflagged Ward’s post in this thread.

I should explain that our forum software (Discourse) is highly self-moderating. If your post is flagged (and people can flag it for any reason they want), your post will get hidden until a real human looks at it.

The only way to stop this from happening is to post helpful and useful posts, and have people click on the Like button (the heart). The more hearts you get, the better the forum software treats you, and the more flags you need to get before your post is hidden.

This is one of the (many) awesome things about Discourse, and is why we love it.

I also urge people not to flag posts for ‘Inappropriate’ when they aren’t - this post wasn’t inappropriate, it was just wrong.

Edit: For those that missed it, the Vulnerability was reported and fixed over twitter in the space of about 10 minutes. Here’s the link to the post where I explained what the problem was, and it’s also mentioned in the first and second posts, too.

It’s not like it’s a sky-is-falling issue, it’s a bug, it was responsibly disclosed, and it was fixed. That’s what infosec is all about. We love people reporting bugs.

3 Likes

Please note this exploit was found by a security researcher who was reviewing code with our support and blessing. When calling your stuff secure it is important to “put up or shut up”. When approached by a security researcher who wants to evaluate what you publicly proclaim as secure, you can A: let them and work with them, or B: well there are other ways to deal with them. So yes the exploit was found with our blessing, fixed, announced without any reports of actual compromised systems.

All code has bugs. The point of my post was to note that you were calling out PIAF for running as root. My question went to whether the FreePBX Distro was doing the same. Very difficult to have a root exploit if your code was actually running as the asterisk user. You have again ignored the question. SO… does the FreePBX Firewall running inside the GUI have root privileges or not?? And, if not, how could there possibly be a root exploit because of a firewall bug? Just trying to learn from the masters…

2 posts were merged into an existing topic: Moved Off-topic thread

It’s also answered in full if the link above was followed and someone just did their own research (by following threads and links starting with the one above) ^^

Heres the link, yet again: FreePBX Firewall Thread! (2nd Post has status) - #72 by xrobau

A post was split to a new topic: Moved Off-topic thread

I’ve got the same issue. After running the commands:
fwconsole stop
chown -R asterisk:asterisk /var/run/asterisk
sed -i ‘/END INIT INFO/a AST_USER=“asterisk”\nAST_GROUP=“asterisk”’ /etc/init.d/asterisk
sed -i ‘s|exit 0|/usr/local/sbin/amportal restart\nexit 0|’ /etc/rc.local
fwconsole restart
sed -i ‘s|;runuser|runuser|’ /etc/asterisk/asterisk.conf
sed -i ‘s|;rungroup|rungroup|’ /etc/asterisk/asterisk.conf
reboot

I notice the /var/run/asterisk/asterisk/ctl is set to root:root 755

Any ideas?

This thread is a year and a half old. There is now a script that makes migrating off unsupported systems trivially easy:
http://wiki.freepbx.org/display/PPS/Elastix+and+PBXinaFlash+to+FreePBX+Distro+Conversion+Tool

1 Like

Thanks for the reply. I’m running centos 6 which I believe is supported. I used the Install guide located at:
http://wiki.freepbx.org/display/FOP/Installing+FreePBX+13+on+CentOS+6

If I issue a fwconsole restart. After a full system restart the issue disappears.

probably because asterisk is being started inappropriately in /etc/rc.local or by init.

Make sure it is not in /etc/rc.local

Then use chkconfig to see if it is in init…

# chkconfig --list asterisk
asterisk       	0:off	1:off	2:off	3:off	4:off	5:off	6:off

If all those don’t say off there is your issue. Run the following.

checkconfig --del asterisk

In /etc/rc.local add

/usr/sbin/fwconsole start
1 Like

Thanks so much for the reply. chkconfig was starting asterisk. I ran the command: checkconfig --del asterisk

However adding the line to /etc/rc.local
/usr/sbin/fwconsole start

Still doesn’t start Asterisk. After a reboot. Freepbx is showing red bar at top right. “can no connect to asterisk”.

After issuing a fwconsole start everything is ok.

I noticed /etc/init.d/rc.local doesn’t exisit. Any ideas?

[ro#ls -ls rc.local
4 -rwxr-xr-x 1 root root 246 Apr 7 23:14 rc.local

So I added the line: /usr/sbin/fwconsole start
to: /etc/rc.d/rc.local

and it worked. Thanks for your help!