Dialplan Executing Shell Script But Chroot Blocking Required Access


(JC) #1

Trying to be as exhaustive in the title, but now I think I should have shortened it. :slight_smile:

I have a script that I am using to transcribe voicemails via the Google Cloud Speech API that is on my account. The script, and voicemail transcriptions work flawlessly when I run the script the following ways:

[root@pbx ~] # /var/lib/asterisk/bin/makevmal.sh “SIP/TRUNK” 2535551234 “Tue Nov 26 03:01:24 PM EST 2019” 1574798484 127 1574798478.463 7

as asterisk:
[asterisk@pbx ~] # /var/lib/asterisk/bin/makevmal.sh “SIP/TRUNK” 2535555555 “Tue Nov 26 03:01:24 PM EST 2019” 1574798484 127 1574798478.463 7

and from the asterisk CLI (as asterisk):

pbx*CLI> !/var/lib/asterisk/bin/makevmal.sh “SIP/TRUNK” 2535555555 “Tue Nov 26 03:01:24 PM EST 2019” 1574798484 127 1574798478.463 7

The script always works.

But when the dialplan executes the script, I get an error that gcloud can’t find the necessary profile data, which is sitting both at /root/.config/gcloud and at /home/asterisk/.config/gcloud. I then configured to script to spit out the current user that is running the script, and it reports that ‘root’ is running it, from within the /tmp directory. I then added a piece of code to detect if it is chrooted, and it reports that it is indeed chrooted.

My question:
I don’t want to lower the security of the PBX by disabling or circumventing chroot, but how can my script work so that it can actually read from the .config directory? I already ran chmod ‘755’ on the config directories, and tried with asterisk:asterisk as owner, and even with chmod ‘777’, but still no dice. If all I need to do is figure out how to create a chrooted profile for the root user with gcloud, then I’m good to go. But I don’t know how to do that, and at least would like to see if I can change the dialplan so that it runs more elevated.

Any ideas? What am I missing?

I’m literally about to start slamming my head against the keyboard. I’ve come close to tears as it is. -_-

Thanks,
JC


Cannot run external application from dial plan, but it is working from the CLI
(JC) #2

Update:

I’m still not sure if it is chroot or not, but I did discover that if I follow what Guy recommended at the bottom of his thread that I resurrected (Cannot run external application from dial plan, but it is working from the CLI) that it worked.

Essentially, I had to add asterisk to the list of sudoers, with nopassword as well. I do not like this security hole, but I can’t find out why the following keeps happening.

  1. Asterisk, which runs as ‘asterisk’ executes scripts as ‘root’. Why? Also, when the script runs, it runs out of the ‘/tmp’ directory, which I am ok with. How can I get Asterisk to run scripts as ‘asterisk’?

  2. In addition to running the script as ‘asterisk’, how can I get Asterisk to launch the script with the full context of that user, for the purposes of reading files from the asterisk user’s home directory (/home/asterisk/.config/gcloud - in particular).

Thanks for any insight. I don’t want to implement this on all the systems we manage and create a security hole, so I hope to hear of a better way that I can work this. Once I have that figured out, I’ll document this process fully for all to be able to use Google Voice Transcription of voicemails that want it.

Thanks,
JC


(JC) #3

Ok, I was able to secure the process a little more by restricting the commands in visudo. I am now comfortable with this process.

in /etc/sudoers, the Asterisk user was added, with limited commmand access:

asterisk ALL=(ALL) NOPASSWD: /usr/bin/gcloud

Then in the script, that is located at /var/lib/asterisk/bin/makevmal.sh, the gcloud commands are elevated:
/usr/bin/sudo /usr/bin/gcloud parameter1 parameter2, etc


(JC) #4

I also had to add these for my script to be able to send html-formatted emails from Mutt, using an HTML template that I have sitting at /var/lib/vm-transcribe

asterisk ALL=(ALL) NOPASSWD: /usr/bin/mutt
asterisk ALL=(ALL) NOPASSWD: /usr/bin/cat /var/lib/vm-transcribe/email.html


#5

The asterisk user does not have any acess to /var/lib/ except the /var/lib/asterisk/ directory unless you changed anything there

/var/lib/asterisk/bin/

Would be a good location for your asterisk related scripts.


(system) closed #6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.