Agi files permissions change

onagan · November 29, 2010, 10:17pm

Hi,

After a reload, all the AGI files have the permissions changed to 0753 and Asterisk give a “access denied” error when trying to run those scripts.

I changed the permissions to 0555 and it worked OK.

But, as soon as I run a reload, same problem occur.

Any idea ???

Thank you

Onagan

plindheimer · March 8, 2011, 6:42pm

don’t run asterisk as root, there is no reason for it to do so and you are only inviting potential asterisk exploits to compromise your entire system.

jamiehankins · February 25, 2011, 6:45pm

This is from my httpd.conf:
User asterisk
Group asterisk

Here’s the exact log from when a call comes in with those file permissions:

[Feb 25 13:25:18] VERBOSE[29929] pbx.c: – Executing [s@macro-dial:3] AGI(“SIP/1-SPA3000-00000407”, “dialparties.agi”) in new stack
[Feb 25 13:25:18] VERBOSE[29929] res_agi.c: – Launched AGI Script /var/lib/asterisk/agi-bin/dialparties.agi
[Feb 25 13:25:18] VERBOSE[29929] res_agi.c: dialparties.agi: Failed to execute ‘/var/lib/asterisk/agi-bin/dialparties.agi’: Permission denied
[Feb 25 13:25:18] VERBOSE[29929] pbx.c: – Executing [s@macro-dial:4] NoOp(“SIP/1-SPA3000-00000407”, "Returned from dialparties with no extensions to call and DIALSTATUS: ") in new stack

Is it a problem that asterisk is running as root?

[root@phoneserver agi-bin]# ps aux | grep asterisk
root 1872 0.0 0.0 4624 544 ? S Jan06 0:00 /bin/sh /usr/sbin/safe_asterisk
root 1887 0.0 12.3 149404 127936 ? Sl Jan06 35:11 /usr/sbin/asterisk -f -vvvg -c
asterisk 11931 0.0 2.3 46348 24600 ? S Feb20 4:13 /usr/sbin/httpd
asterisk 11932 0.0 2.5 48456 26808 ? S Feb20 4:13 /usr/sbin/httpd
asterisk 11933 0.0 2.6 48784 27296 ? S Feb20 4:10 /usr/sbin/httpd
asterisk 11934 0.0 2.6 48448 27352 ? S Feb20 4:09 /usr/sbin/httpd
asterisk 11935 0.0 2.4 47280 25528 ? S Feb20 4:10 /usr/sbin/httpd
asterisk 11936 0.0 2.5 47964 26452 ? S Feb20 4:06 /usr/sbin/httpd
asterisk 11937 0.0 2.6 48508 26988 ? S Feb20 4:08 /usr/sbin/httpd
asterisk 11938 0.0 2.4 47000 25392 ? S Feb20 4:09 /usr/sbin/httpd
root 30042 0.0 0.0 4004 664 pts/0 R+ 13:34 0:00 grep asterisk

jamiehankins · February 23, 2011, 11:07pm

By “reload” I mean change any setting in FreePBX that causes the “click here to reload” banner to appear, and click on the banner. After that, dialparties.agi is no longer executable.

Here is /var/lib/asterisk/agi-bin before reloading:
-rwxrwxr-x 1 asterisk asterisk 1742 Sep 30 16:09 agi-test.agi
-rwxr-xr-x 1 asterisk asterisk 1872 Feb 22 16:04 checksound.agi
-rwxr-xr-x 1 asterisk asterisk 30970 Feb 22 16:04 dialparties.agi
-rwxr-xr-x 1 asterisk asterisk 13305 Feb 22 16:04 directory
-rwxr-xr-x 1 asterisk asterisk 4435 Feb 22 16:04 directory.agi
-rwxr-xr-x 1 asterisk asterisk 12903 Feb 22 16:04 directory.lib.php
-rwxrwxr-x 1 asterisk asterisk 86431 Sep 30 16:09 eagi-sphinx-test
-rwxrwxr-x 1 asterisk asterisk 143755 Sep 30 16:09 eagi-test
-rwxr-xr-x 1 asterisk asterisk 5638 Feb 22 16:04 enumlookup.agi
-rwxr-xr-x 1 asterisk asterisk 1613 Feb 22 16:04 fixlocalprefix
-rwxrwxr-x 1 asterisk asterisk 14530 Sep 30 16:09 jukebox.agi
-rwxr-xr-x 1 asterisk asterisk 2003 Feb 22 16:04 list-item-remove.php
-rwxr-xr-x 1 asterisk asterisk 10262 Feb 22 16:04 pbdirectory
-rwxrwxr-x 1 asterisk asterisk 26904 Feb 22 15:41 phpagi-asmanager.php
-rwxrwxr-x 1 asterisk asterisk 65906 Feb 22 15:41 phpagi.php
-rwxr-xr-x 1 asterisk asterisk 3710 Feb 22 16:04 queue_devstate.agi
-rwxr-xr-x 1 asterisk asterisk 21117 Feb 22 16:04 sql.php
-rwxr-xr-x 1 asterisk asterisk 18005 Feb 22 16:04 user_login_out.agi

Now, I change a setting in FreePBX and click on “Apply Configuration Changes”, then “Continue with reload”.

Now, here it is:
-rwxrwxr-x 1 asterisk asterisk 1742 Sep 30 16:09 agi-test.agi
-rwxr-xr-- 1 asterisk asterisk 1872 Feb 23 17:42 checksound.agi
-rwxr-xr-- 1 asterisk asterisk 30970 Feb 23 17:42 dialparties.agi
-rwxr-xr-- 1 asterisk asterisk 13305 Feb 23 17:42 directory
-rwxr-xr-- 1 asterisk asterisk 4435 Feb 23 17:42 directory.agi
-rwxr-xr-- 1 asterisk asterisk 12903 Feb 23 17:42 directory.lib.php
-rwxrwxr-x 1 asterisk asterisk 86431 Sep 30 16:09 eagi-sphinx-test
-rwxrwxr-x 1 asterisk asterisk 143755 Sep 30 16:09 eagi-test
-rwxr-xr-- 1 asterisk asterisk 5638 Feb 23 17:42 enumlookup.agi
-rwxr-xr-- 1 asterisk asterisk 1613 Feb 23 17:42 fixlocalprefix
-rwxrwxr-x 1 asterisk asterisk 14530 Sep 30 16:09 jukebox.agi
-rwxr-xr-- 1 asterisk asterisk 2003 Feb 23 17:42 list-item-remove.php
-rwxr-xr-- 1 asterisk asterisk 10262 Feb 23 17:42 pbdirectory
-rwxrwxr-x 1 asterisk asterisk 26904 Feb 22 15:41 phpagi-asmanager.php
-rwxrwxr-x 1 asterisk asterisk 65906 Feb 22 15:41 phpagi.php
-rwxr-xr-- 1 asterisk asterisk 3710 Feb 23 17:42 queue_devstate.agi
-rwxr-xr-- 1 asterisk asterisk 21117 Feb 23 17:42 sql.php
-rwxr-xr-- 1 asterisk asterisk 18005 Feb 23 17:42 user_login_out.agi

mickecarlsson · February 24, 2011, 6:43am

The above rights after you click on Apply Changes are correct. Check your httpd.conf so that both group and user are set to asterisk.

mickecarlsson · February 23, 2011, 5:47am

“reload” of what?

Please give full details of what you do. I see that the first reporter use Elastix, there might be some script added there that do something that FreePBX does not.

jamiehankins · February 22, 2011, 9:48pm

I can’t believe that this problem is so rare. Every time I reload, the permissions get reset (execute gets removed) on dialparties.agi. Does this really not happen to anyone else?

jamiehankins · March 8, 2011, 6:25pm

Since Asterisk itself is running as root, setting the agi-bin files to root:root also fixes the problem. Are there any FreePBX ramifications for doing this?

I understand that it would be better to run Asterisk as a non-root user. However, it doesn’t seem like this is the normal configuration.

jamiehankins · January 30, 2011, 5:53am

This is CentOS 5.5, FreePBX 2.8.1.0, Asterisk 1.8.0. I really need dialparties.agi to stop having its permissions messed with.

pureserve · December 15, 2010, 4:57pm

i have the same issue. started yesterday. only affects ring groups with permission denied when a ring group is called and the call goes to final destination

use chmod 777 dialparties.agi which fixes and after a reload it reverts

freepbx 2.8
elastix 2

mickecarlsson · December 15, 2010, 5:44am

Which version of FreePBX?
Is this a distro of some sort? Please give more details.

nate55 · December 14, 2010, 8:13pm

I have the same issue. A reload changes the permissions in the /var/lib/asterisk/agi-bin/ directory to 754. I started looking into do_reload, which is the function that executes when you do a reload in freepbx and then found two places where a chmod to 754 occurs in retrieve-conf, but its only supposed to affect the modules directory, also function err_copy does a chmod to 754. Still don’t know why its being applied to my agi directory. Help please.