Any way to disable module signature checking for an individual module?

No it’s not. All of the other modules are still checked for sanity. The only problems that will happen are if “bad guys” mess with the two modules I’ve excluded in the future; I won’t be notified. I’ve accepted that risk for these 2 modules, and only these 2 modules. Your suggestion of disabling it totally would mean that every single module I have would be unchecked… not what I want.

2 modules being unchecked is acceptable risk to me. 30+ is not.

I didn’t read this whole post, so I must have missed the “hate” posts. I don’t hate you, here’s a :hug: to prove it. Hah.

As for a secure way to do this, I’m not sure one exists, at least not the way you want it to. This is OSS, things can be edited. To me (a complete outsider not privy to any conversations about module signing) it seems that FreePBX module signing is Schmooze’s way of trying to defend someone’s network when the customers should be doing that themselves with firewalls and proper security config throughout their networks. It’s not the job of a VoIP server to protect a network. If someone can get inside the network far enough to edit PHP code on a server, FreePBX module signing is the least of your worries.

I’d personally be happy with the simple checking done with the module.sig file. Then if we edit any code we can simply update the hash and be happy. Obviously hackers can do that too, but like I said above, acceptable risk. This is OSS after all. The only secure way to do what module signing is supposed to do in theory is to make all modules compiled binaries, and I doubt anyone wants that. I’ve had to deal with ZEND compiled PHP before and I wanted to hang myself.

So in the bigger conversation, my 2 cents is that module signing is too restrictive considering this is all OSS. Customers should have their own defense strategy to prevent people from getting into their servers.

So what do you think? Sorry if this post sounds too attacky.

It’ll ignore any modules that start with cxpanel or framework

Yeah, I didn’t put the $ at the end of the regex. I’ll edit my post…

That’s totally up to you, but in my opinion, by ignoring ANY module, your machine can be 100% owned without you knowing about it (for example, any module can register hooks that can be run on ANY post or get of any page. If someone hacks cxpanel, they have hacked the entire machine).

Well, there are two levels of pwnage. The first, easiest, level is something like Shellshock, where any entrypoint is a potential attack target. Or a bug in something like PhpMyAdmin, or … ANYTHING that gives an attacker ‘web-user’ permissions on the machine.

The second is when they’re root. We can’t defend against this. Once they’re root, the game is over, they own the machine, and nothing can be trusted on that machine again. So we don’t even try.

But the idea behind GPG is ‘what happens when an attacker DOES get in as the web user, and how can we defend against that’.

Nope, not at all. Firstly, GPG was 100% my idea, I pushed it, and I wrote most of it. Schmooze just happened to pay my wages whilst I wrote it. Additionally, It’s got nothing to do with networks, or defence. It’s purely to detect attacks against FreePBX. You can, for example. find a vulnerability in FreePBX, use it to get access to the machine, and then add and modify stuff outside of the FreePBX webroot, and GPG doesn’t notice.

Totally not an acceptable risk for me. Now, Sangoma may come and lean on me and say ‘We need to make Module Signing Brain Dead’ (however they phrase it, that’s how I’ll hear it), and … well, now I think about it, I probably won’t do it, even if they ordered me to. GPG is my baby, and I care deeply about it. I realise it’s not PERFECT, but it’s good enough for the moment. I think.

I am unsure if I agree with that. There are two things that need to be done (at the moment) if you want to edit a module, and not have it display the warning up the top of the page. The first thing is to request your key be signed by the FreePBX key, and the second thing is to check out the devtools repo from git, and use the tools in there to re-sign the package.

There is a page somewhere on the wiki that explains all this.

I realise that it could be simplified to just one thing, by adding some check-if-files-are-owned-by-root validation to the GPG stuff, but it’s just not terribly high on my priorities. However, having just LOOKED at the code that needs to be fixed, it’s probably NOT that much work, now I think about it.

You also want to move it above ‘Get the module.sig file’, too.

After 13 is stable let’s work on this.

If an attacker gets in as the web user it’s game over for FreePBX anyway. The web user is the owner of all FreePBX PHP files (I didn’t change any permissions, it’s the way it was installed from the ISO). So if someone gets in as the web user they can make the same modification as I did to the GPG.class.php file and bypass everything anyway. GPG signing won’t prevent that. So I fail to see how module signing really does anything to help.

After reading your post further you made it seem like a lot of these files are supposed to be owned by root, not the web user. That’s not the case on my install. Literally every file in /var/www/html is owned by the web user. If these files were owned by root and readable by the web user that would be a step in the right direction.

This, to me, is unacceptable. For something that should be as easy as a checkbox on a web page no FreePBX admin should ever have to create a GPG key, clone repos, or anything like that. You’re expecting people to be developers in order to do a seemingly simple thing and they aren’t. (I am, as well as an infosec engineer, so this isn’t a problem for me but for people who are simply VoIP people this is crazy).

I wholly understand that this is an edge case; most people will never have the need to edit the source of modules. But some of us do. The bottom line is that if there is critical code that you want to ensure doesn’t get tampered with it needs to be present in binary form. Otherwise, it can be edited by anyone, good or bad, and there is no way programmatically to detect one versus the other. So any protections in place hurt legitimate modifications. But just as I accepted the risk of not validating certain modules you accepted the risk of annoying certain customers in order to better protect everyone else. I get it.

I’m happy with my hack. It works for me. Would I like a GUI option to do what I did in code? Of course. But I’m not going to ask any of you to do that because there are more important things to do.

Theoretically, yes. Practically, no. There’s no advantage for an attacker to destroy a FreePBX machine. Financially, it’s in their best interest to either steal SIP credentials, or, zombie the machine into a spambot.

I actually accidentally clicked on your profile when I saw the email alert about the reply, and you have ‘security’ in there, so it’s great to have someone ELSE who thinks about this stuff… It’s pretty much just been me driving this.

As a background, most of this discussion has happened in IRC with other people, and discussions at various conferences with other people, so I totally understand that you’re coming in blind. So I’m going to go through some things that we’ve talked about, and (hopefully!) you can poke holes, or offer suggestions about what we’ve done.

So. The entire reasoning behind FreePBX’s Module Signing is to make sure users have a way to be notified if someone has changed a file or tampered with a module. Over the past few years we have seen more and more attacks on FreePBX systems and most of the time the hackers were modifying FreePBX modules and users had no way of knowing something had been modified.

That’s it. That’s all it’s for. That was actually (slightly paraphrased) the introductory paragraph I wrote about GPG when I was pushing for it.

That depends on the aim of the attacker. If their aim is to be stealthy, we want to detect that and make lots of noise. If their aim is not stealthy, then we don’t care, you’re going to notice anyway.

That’s exactly correct. And there’s nothing we can do to stop that, and that is why we turn module signature validation back on whenever framework is updated. That gives us a good compromise with people who don’t have their machine connected to the internet and want to do lots of custom code and NOT sign their code, and people who do have their machine connected to the internet.

So, at worst, a blackhat hacks their machine, removes the alerts before they’re triggered, and then starts adding malicious code. At some point, the owner is going to run an update which updates framework, module signing gets turned on, and immediately all the red flags go up and emails get fired out.

So there’s a window there, and I have no idea how to close that. Suggestions would be welcome

No. I was suggesting that the GPG class check for root owned files as ‘overrides’.

I agree 100%. And no FreePBX admin has to do that. The only people who DO need to do that are people who want to be developers. The same way they need to learn how to use a text editor, understand what regular expressions are, and other things, they should be reading the Development part of the Wiki, which steps them all through this.

That’s not what we want to do. We want to warn people that code has been changed from the original packaging by the author. It doesn’t block, except in one, exceptional, circumstance that we’ve never used (when a developer with a signed key goes rogue, a revoked signature on a key blocks that module from running totally).

On the other hand, If people want to change one line in a file, then change the file. Click on the ‘X’ in the top right hand corner of the alert window, and move on. There’s nothing blocking anything anywhere, and you’ll never see the alert again. But, you’ve seen it ONCE, and that’s the important thing that we’re trying to achieve.

The problem there is ‘How do I stop the attacker from doing that?’, and as you pointed out, we can’t. So that’s why we’ve gone to all this effort to make it as foolproof as possible.

I’m trying not to be a prick here, but I can’t really think of a way to ask this question WITHOUT seeming like a prick. Sorry. But, here it is.

How is a dismissable, one-time alert, that correctly alerts you that files have been modified on your system from what they should be, annoying?

As a partially impartial observer, I take both of your arguments seriously, @xrobau has a solution that requires one to “trust” a third party (Sangoma) for a legitimate OSS effort, (which would be the whole key signing thing, in effect Sangoma “owns” such keys). @slonkak has IMHO a reasonable solution to isolate the code that is not guaranteed by Sangoma, but IS guaranteed by himself, he has obviously the ability to argue his case, and presumably provide prophylaxis against such penetration, I hate to say it but the granny state in OSS seems to me an old fart in this world a little intrusive.

Please don’t get me wrong, I also hug Rob for his efforts, but is it possible to make the whole thing either "you use my method " or "turn it off completely , any code change must be delegated to a third party " or accept that some might not fully “trust” your keys or maybe a middle line for the old hairy dudes?

No… That whole module stuff explicitly says this is not about trust.

No, again. It’s stuff that he’s happy to get changed. Again, not guaranteed.

This is where everyone seems to get confused about signing 8-\

It’s integrity validation, and that’s it.

That’s exactly how it is now.

Again, no trust is there.

I’m sorry , perhaps I misunderstand, but who has the “trust” against the generated keys and why does Sangoma accept those keys without question, could not any interloper do the same thing, given enough acquired privilege ?

I think you do… Have a read through the module signing part of the Wiki, it might answer your questions a bit better.

http://wiki.freepbx.org/pages/viewpage.action?pageId=29753662

With trust… There is just ‘this is the person who packaged this module’, or, ‘I don’t know who packaged this module’, or, what NORMALLY happens, ‘The person who packaged this module said that this file is ABC, but it’s been changed to ABD’.

That’s NOT what this is about. This is to cover the most common attack vector, which is - for example - when someone’s left PhpMyAdmin running on their server, and now you have given random people shell access as the web user.

I want people to figure out holes, and potential weaknesses, but once the attacker is root, the game is over, and there’s nothing anyone can do from then on, so it’s not something we’re even trying to address.

http://literature.schmoozecom.com/EUA/GPG-KEY-SIGNING.pdf

how are you guys not involved, even as a second derivative?

Uh, you talked about trust? There is no trust. If we wanted to get TRUST involved, you would have needed to get a proper Code Signing Certificate, and oh my god those things are a terrible pain in the arse to get. It took me almost 2 months to get mine, sending faxes of passports and all sorts of things. It was a nightmare.

Exactly, if you trust yourself then you are self trusted, is this a circular argument or what, this is our own sh*t not an effing aussie passport/visa (been there as a foreigner) ?

(I’m still unconvinced, If I need a key I have to ask you guys? )

Umm, yes? I guess if you’re trying to say it’s the same thing as putting a Self Signed Certificate on a webserver, then yes, that’s EXACTLY the same.

And, if you read back, we were talking about ways to implement this.

No. Sangoma Documentation

Actually, I think you’re thinking that because of poor phrasing of the heading. I’m just fixing it now.

That I understand, I just doubt the methodology so far implemented, you will have to further convince my why my self signed certificate is not reasonably acceptable, which is surely the nub of this discourse, I don’t want to sign an agreement with a commercial enterprise to implement an OSS solution .

It is acceptable. Just no-one’s written the code to do it. I’m hoping that @slonkak will join in and point out any potential pitfalls, as there’s going to be lots 8-\

Well, that’s up to you, and if that’s what you’ve decided, then that’s your choice. I’m not here to change your mind,

Edit, slightly later: As I was re-reading this, I want to clarify for anyone else reading, there is no need for a user, implementer, admin, or anyone who’s NOT a developer, to sign any agreements with anyone to implement an OSS solution.

If you want to be a developer, not an implementer, then yes, you should act like a developer and have all the correct tools, and one of them - along with an understanding of PHP, a text editor, and far too much caffeine - is having your key signed.

Saying that - even if you, as a user, want to change something in a file, you can simply edit that file, acknowledge the warning that the file has been changed from the distributed version, and move on. Nothing’s stopping you. We just want to make sure that you, the user, KNOWS that a file has been changed.

But if you’re CONTINUOUSLY editing a file, because it’s not quite right or something, then perhaps you should be sending us a patch so that EVERYONE can do the cool thing that you’re doing.

hehe, I will stand by to stand by.

Thanks for your ongoing patience with some of us doubters.

(I doubt whether you or I will change my mind, I am and have been an Obdurate for a long time)

Here is an example that goes to the root of why we would might want to change your signed modules

http://issues.freepbx.org/browse/FREEPBX-9170

Closed without comment.

Why in god’s green earth would our clients need to be forced to the admin interface by default? It makes no sense to me, but as I say I am obdurate

Well, that’s new to me

wvpXDTL.png768×476 47.2 KB

Note how ANONYMOUS closed it? That shouldn’t even be possible.

Anyway, the easiest way to do what you want to do is go into system admin → port management, and change UCP to listen on port 80, and Admin on port 81.

gotta trust anonymous , no ?

Yes we implemented a new ticket transition called “needs feedback” I forgot that if I don’t lock down permissions Internet spiders hit the buttons that do all sorts of actions. Like close tickets.

As rob and I said the plan is for a root owned master file that works separate from the freepbx keys (side bar: yes there are people that pointed this process out months ago). In time we will do it but the feedback from the community on it is nill. Besides this thread. When we asked for feedback over email and twitter we got nothing. We are just fixing what the people want us to fix and work on. If they really hated this I would think we’d see tickets and emails and letters and comments. But to this day there is only this thread and one on dsl reports. And the dsl reports one isn’t complaining to us. Just complaining about the situation. It’s like if I had a problem with a bank and I went bankreports.com to complain about it. How is said bank to know what to do.

To be really honest this thread wears on my soul. As it does for most of us. The same topics are rehashed over and over and this thread itself has caused people in other forums to call me a “5-year-old” and to just generally mock and disrespect myself and my peers and caused a ton of misconceptions about myself and the people I work with. I groan when it shows back up. As much as I want to close it I won’t. People can have their say but everything that will ever be asked about this can be explained though the 80 replies already in this thread.

Including a module fix done by Rob and then a few weeks later notification fixes (where you can disable email alerts for unsigned modules completely) done by myself and Rob and now with talk of the root owned master file. I just think it’s been overly hashed and everything is laid out on the table no? For the little feedback we got (0 emails, 0 letters) it really seems like a ton of wasted effort. The fact that I got called a “5-year-old” makes me want to fix it even less. But I digress.

Ironically we are talking about how easy it is to circumvent yet the patch above only bypasses two modules. If you don’t believe in the theory here then why not get rid of it all together? Why just the other modules?