Yeah, that’s not the place to open issues against it. That’s actually just an automatically synchronized mirror from git.freepbx.org, and issues should go on issues.freepbx.org.
But here is EXACTLY the right place to talk about this stuff 8)
Firewall uses Sysadmin for, mainly, secure privilege escalation. It doesn’t use sysadmin (the module) for anything, as far as I remember. It uses the sysadmin RPM for that. That’s utilized by the ‘runHook’ code, which - hopefully - is pretty self explanatory.
The problem for NON Distro machines is that doing that securely is super easy with the Sysadmin hooks, because, it’s been audited and checked multiple times, as well as relying on the Zend integrity checking stuff, AND all being root owned, so it’s not possible to be messed with by an attacker.
All of that is missing for something that’s not running FreePBX Distro. So that’s where the missing pieces are at the moment, and I’d love some pull requests to figure out how to fix it.
The main problem is that you have to run stuff as root (iptables, for example), but you also want to install updates and other things as NOT root, so there needs to be that abstraction/isolation layer. You can’t use sudo, because as soon as you grant sudo access to any file owned by Asterisk/Httpd, your machine is immediately attackable by simply replacing the contents of that file.
Lots of problems, and not any solutions - yet. But I’m hopeful that someone will come up with an idea 8)