Agi files permissions change

Hi,

After a reload, all the AGI files have the permissions changed to 0753 and Asterisk give a “access denied” error when trying to run those scripts.

I changed the permissions to 0555 and it worked OK.

But, as soon as I run a reload, same problem occur.

Any idea ???

Thank you

Onagan

don’t run asterisk as root, there is no reason for it to do so and you are only inviting potential asterisk exploits to compromise your entire system.

This is from my httpd.conf:
User asterisk
Group asterisk

Here’s the exact log from when a call comes in with those file permissions:

[Feb 25 13:25:18] VERBOSE[29929] pbx.c: – Executing [[email protected]:3] AGI(“SIP/1-SPA3000-00000407”, “dialparties.agi”) in new stack
[Feb 25 13:25:18] VERBOSE[29929] res_agi.c: – Launched AGI Script /var/lib/asterisk/agi-bin/dialparties.agi
[Feb 25 13:25:18] VERBOSE[29929] res_agi.c: dialparties.agi: Failed to execute ‘/var/lib/asterisk/agi-bin/dialparties.agi’: Permission denied
[Feb 25 13:25:18] VERBOSE[29929] pbx.c: – Executing [[email protected]:4] NoOp(“SIP/1-SPA3000-00000407”, "Returned from dialparties with no extensions to call and DIALSTATUS: ") in new stack

Is it a problem that asterisk is running as root?

[[email protected] agi-bin]# ps aux | grep asterisk
root 1872 0.0 0.0 4624 544 ? S Jan06 0:00 /bin/sh /usr/sbin/safe_asterisk
root 1887 0.0 12.3 149404 127936 ? Sl Jan06 35:11 /usr/sbin/asterisk -f -vvvg -c
asterisk 11931 0.0 2.3 46348 24600 ? S Feb20 4:13 /usr/sbin/httpd
asterisk 11932 0.0 2.5 48456 26808 ? S Feb20 4:13 /usr/sbin/httpd
asterisk 11933 0.0 2.6 48784 27296 ? S Feb20 4:10 /usr/sbin/httpd
asterisk 11934 0.0 2.6 48448 27352 ? S Feb20 4:09 /usr/sbin/httpd
asterisk 11935 0.0 2.4 47280 25528 ? S Feb20 4:10 /usr/sbin/httpd
asterisk 11936 0.0 2.5 47964 26452 ? S Feb20 4:06 /usr/sbin/httpd
asterisk 11937 0.0 2.6 48508 26988 ? S Feb20 4:08 /usr/sbin/httpd
asterisk 11938 0.0 2.4 47000 25392 ? S Feb20 4:09 /usr/sbin/httpd
root 30042 0.0 0.0 4004 664 pts/0 R+ 13:34 0:00 grep asterisk

By “reload” I mean change any setting in FreePBX that causes the “click here to reload” banner to appear, and click on the banner. After that, dialparties.agi is no longer executable.

Here is /var/lib/asterisk/agi-bin before reloading:
-rwxrwxr-x 1 asterisk asterisk 1742 Sep 30 16:09 agi-test.agi
-rwxr-xr-x 1 asterisk asterisk 1872 Feb 22 16:04 checksound.agi
-rwxr-xr-x 1 asterisk asterisk 30970 Feb 22 16:04 dialparties.agi
-rwxr-xr-x 1 asterisk asterisk 13305 Feb 22 16:04 directory
-rwxr-xr-x 1 asterisk asterisk 4435 Feb 22 16:04 directory.agi
-rwxr-xr-x 1 asterisk asterisk 12903 Feb 22 16:04 directory.lib.php
-rwxrwxr-x 1 asterisk asterisk 86431 Sep 30 16:09 eagi-sphinx-test
-rwxrwxr-x 1 asterisk asterisk 143755 Sep 30 16:09 eagi-test
-rwxr-xr-x 1 asterisk asterisk 5638 Feb 22 16:04 enumlookup.agi
-rwxr-xr-x 1 asterisk asterisk 1613 Feb 22 16:04 fixlocalprefix
-rwxrwxr-x 1 asterisk asterisk 14530 Sep 30 16:09 jukebox.agi
-rwxr-xr-x 1 asterisk asterisk 2003 Feb 22 16:04 list-item-remove.php
-rwxr-xr-x 1 asterisk asterisk 10262 Feb 22 16:04 pbdirectory
-rwxrwxr-x 1 asterisk asterisk 26904 Feb 22 15:41 phpagi-asmanager.php
-rwxrwxr-x 1 asterisk asterisk 65906 Feb 22 15:41 phpagi.php
-rwxr-xr-x 1 asterisk asterisk 3710 Feb 22 16:04 queue_devstate.agi
-rwxr-xr-x 1 asterisk asterisk 21117 Feb 22 16:04 sql.php
-rwxr-xr-x 1 asterisk asterisk 18005 Feb 22 16:04 user_login_out.agi

Now, I change a setting in FreePBX and click on “Apply Configuration Changes”, then “Continue with reload”.

Now, here it is:
-rwxrwxr-x 1 asterisk asterisk 1742 Sep 30 16:09 agi-test.agi
-rwxr-xr-- 1 asterisk asterisk 1872 Feb 23 17:42 checksound.agi
-rwxr-xr-- 1 asterisk asterisk 30970 Feb 23 17:42 dialparties.agi
-rwxr-xr-- 1 asterisk asterisk 13305 Feb 23 17:42 directory
-rwxr-xr-- 1 asterisk asterisk 4435 Feb 23 17:42 directory.agi
-rwxr-xr-- 1 asterisk asterisk 12903 Feb 23 17:42 directory.lib.php
-rwxrwxr-x 1 asterisk asterisk 86431 Sep 30 16:09 eagi-sphinx-test
-rwxrwxr-x 1 asterisk asterisk 143755 Sep 30 16:09 eagi-test
-rwxr-xr-- 1 asterisk asterisk 5638 Feb 23 17:42 enumlookup.agi
-rwxr-xr-- 1 asterisk asterisk 1613 Feb 23 17:42 fixlocalprefix
-rwxrwxr-x 1 asterisk asterisk 14530 Sep 30 16:09 jukebox.agi
-rwxr-xr-- 1 asterisk asterisk 2003 Feb 23 17:42 list-item-remove.php
-rwxr-xr-- 1 asterisk asterisk 10262 Feb 23 17:42 pbdirectory
-rwxrwxr-x 1 asterisk asterisk 26904 Feb 22 15:41 phpagi-asmanager.php
-rwxrwxr-x 1 asterisk asterisk 65906 Feb 22 15:41 phpagi.php
-rwxr-xr-- 1 asterisk asterisk 3710 Feb 23 17:42 queue_devstate.agi
-rwxr-xr-- 1 asterisk asterisk 21117 Feb 23 17:42 sql.php
-rwxr-xr-- 1 asterisk asterisk 18005 Feb 23 17:42 user_login_out.agi

The above rights after you click on Apply Changes are correct. Check your httpd.conf so that both group and user are set to asterisk.

“reload” of what?

Please give full details of what you do. I see that the first reporter use Elastix, there might be some script added there that do something that FreePBX does not.

I can’t believe that this problem is so rare. Every time I reload, the permissions get reset (execute gets removed) on dialparties.agi. Does this really not happen to anyone else?

Since Asterisk itself is running as root, setting the agi-bin files to root:root also fixes the problem. Are there any FreePBX ramifications for doing this?

I understand that it would be better to run Asterisk as a non-root user. However, it doesn’t seem like this is the normal configuration.

This is CentOS 5.5, FreePBX 2.8.1.0, Asterisk 1.8.0. I really need dialparties.agi to stop having its permissions messed with.

i have the same issue. started yesterday. only affects ring groups with permission denied when a ring group is called and the call goes to final destination

use chmod 777 dialparties.agi which fixes and after a reload it reverts

freepbx 2.8
elastix 2

Which version of FreePBX?
Is this a distro of some sort? Please give more details.

I have the same issue. A reload changes the permissions in the /var/lib/asterisk/agi-bin/ directory to 754. I started looking into do_reload, which is the function that executes when you do a reload in freepbx and then found two places where a chmod to 754 occurs in retrieve-conf, but its only supposed to affect the modules directory, also function err_copy does a chmod to 754. Still don’t know why its being applied to my agi directory. Help please.