Good to know
Thanks.
This actually means that asterisk is running as root and not the aaterisk user. This is why a cli reload works but the gui doesn’t. PIAF was distributing a version that had asterisk running as root for a good month and didn’t seem to think it was a big deal
http://pbxinaflash.com/community/index.php?threads/asterisk-runs-as-root.17404/
Though it’s a security issue it was never publicly announced. Leaving users like you in the dark
Thank you for that. I’ll try the steps there when the server is not being used tonight … I am more convinced to change to a FreePBX Distro now…
The fix is to run the following through terminal:
Tried the fix tonight and it worked! Thanks, @wardmundy :)… Just for reference for anyone else… here’s the code you need to run.
amportal kill
chown -R asterisk:asterisk /var/run/asterisk
sed -i '/END INIT INFO/a AST_USER="asterisk"\nAST_GROUP="asterisk"' /etc/init.d/asterisk
sed -i 's|exit 0|/usr/local/sbin/amportal restart\nexit 0|' /etc/rc.local
amportal restart
sed -i 's|;runuser|runuser|' /etc/asterisk/asterisk.conf
sed -i 's|;rungroup|rungroup|' /etc/asterisk/asterisk.conf
reboot
If ‘amportal kill’ does not work, then ‘amportal stop’ should do the trick and continue with the rest of the commands. Hopefully this helps anybody out there
For the record @gforceco, you’re running Asterisk 12 which is no longer supported. In evaluating the dangers of various distros, you probably should consider the source of the advice and who acknowledged a root exploit of the FreePBX Distro just three short weeks ago. Then ask yourself how that could happen if the FreePBX Distro weren’t running with root user privileges. The difference is that the FreePBX Firewall not only didn’t protect FreePBX, but it was the actual cause of the root compromise. In contrast, the firewall available for PIAF and Incredible PBX runs INDEPENDENTLY of Apache and its web GUI which is generally a good idea when it comes to firewalls. Otherwise, the whole house of cards comes down (as it did) when any single piece fails.
I’ve manually unflagged Ward’s post in this thread.
I should explain that our forum software (Discourse) is highly self-moderating. If your post is flagged (and people can flag it for any reason they want), your post will get hidden until a real human looks at it.
The only way to stop this from happening is to post helpful and useful posts, and have people click on the Like button (the heart). The more hearts you get, the better the forum software treats you, and the more flags you need to get before your post is hidden.
This is one of the (many) awesome things about Discourse, and is why we love it.
I also urge people not to flag posts for ‘Inappropriate’ when they aren’t - this post wasn’t inappropriate, it was just wrong.
Edit: For those that missed it, the Vulnerability was reported and fixed over twitter in the space of about 10 minutes. Here’s the link to the post where I explained what the problem was, and it’s also mentioned in the first and second posts, too.
It’s not like it’s a sky-is-falling issue, it’s a bug, it was responsibly disclosed, and it was fixed. That’s what infosec is all about. We love people reporting bugs.
Please note this exploit was found by a security researcher who was reviewing code with our support and blessing. When calling your stuff secure it is important to “put up or shut up”. When approached by a security researcher who wants to evaluate what you publicly proclaim as secure, you can A: let them and work with them, or B: well there are other ways to deal with them. So yes the exploit was found with our blessing, fixed, announced without any reports of actual compromised systems.
All code has bugs. The point of my post was to note that you were calling out PIAF for running as root. My question went to whether the FreePBX Distro was doing the same. Very difficult to have a root exploit if your code was actually running as the asterisk user. You have again ignored the question. SO… does the FreePBX Firewall running inside the GUI have root privileges or not?? And, if not, how could there possibly be a root exploit because of a firewall bug? Just trying to learn from the masters…
It’s also answered in full if the link above was followed and someone just did their own research (by following threads and links starting with the one above) ^^
Heres the link, yet again: FreePBX Firewall Thread! (2nd Post has status) - #72 by xrobau
I’ve got the same issue. After running the commands:
fwconsole stop
chown -R asterisk:asterisk /var/run/asterisk
sed -i ‘/END INIT INFO/a AST_USER=“asterisk”\nAST_GROUP=“asterisk”’ /etc/init.d/asterisk
sed -i ‘s|exit 0|/usr/local/sbin/amportal restart\nexit 0|’ /etc/rc.local
fwconsole restart
sed -i ‘s|;runuser|runuser|’ /etc/asterisk/asterisk.conf
sed -i ‘s|;rungroup|rungroup|’ /etc/asterisk/asterisk.conf
reboot
I notice the /var/run/asterisk/asterisk/ctl is set to root:root 755
Any ideas?
This thread is a year and a half old. There is now a script that makes migrating off unsupported systems trivially easy:
http://wiki.freepbx.org/display/PPS/Elastix+and+PBXinaFlash+to+FreePBX+Distro+Conversion+Tool
Thanks for the reply. I’m running centos 6 which I believe is supported. I used the Install guide located at:
http://wiki.freepbx.org/display/FOP/Installing+FreePBX+13+on+CentOS+6
If I issue a fwconsole restart. After a full system restart the issue disappears.
probably because asterisk is being started inappropriately in /etc/rc.local or by init.
Make sure it is not in /etc/rc.local
Then use chkconfig to see if it is in init…
# chkconfig --list asterisk
asterisk 0:off 1:off 2:off 3:off 4:off 5:off 6:off
If all those don’t say off there is your issue. Run the following.
checkconfig --del asterisk
In /etc/rc.local add
/usr/sbin/fwconsole start
Thanks so much for the reply. chkconfig was starting asterisk. I ran the command: checkconfig --del asterisk
However adding the line to /etc/rc.local
/usr/sbin/fwconsole start
Still doesn’t start Asterisk. After a reboot. Freepbx is showing red bar at top right. “can no connect to asterisk”.
After issuing a fwconsole start everything is ok.
I noticed /etc/init.d/rc.local doesn’t exisit. Any ideas?
[ro#ls -ls rc.local
4 -rwxr-xr-x 1 root root 246 Apr 7 23:14 rc.local
So I added the line: /usr/sbin/fwconsole start
to: /etc/rc.d/rc.local
and it worked. Thanks for your help!