FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)

Hello…

I am unable to reload through the GUI… I keep getting this error:

Reload failed because retrieve_conf encountered an error: 1
exit: 1
Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
Exception: Unable to connect to Asterisk through the CLI in file /var/lib/asterisk/bin/retrieve_conf on line 24
Stack trace:
  1. Exception->() /var/lib/asterisk/bin/retrieve_conf:24

However, if I reload FreePBX through the terminal, with command amportal a r or fwconsole reload then it succeeds and I simply refresh the GUI and the Apply Config button is gone…

Configuration:

PIAF Installed Version = 3.0.6.7 under KVM
FreePBX Version = 13.0.10 1
Running Asterisk Version = 12.8.1
Asterisk Source Version = 12.8.1
Dahdi Source Version = 2.10.0.1
Libpri Source Version = 1.4.15
Operating System = CentOS release 6.7 (Final)
Kernel Version = 2.6.32-504.12.2.el6.x86_64 - 64 Bit

I know that *12 is EOL, or going to be… so if anybody has an idea on how to upgrade to *13, that would be much appreciated as well. Maybe that would even fix this issue. Thank you in advance for your help! :smile:

There is no easy way of upgrading asterisk on a PIAF server. Best to start from scratch and migrate your config using backup and restore, just make sure your FreePBX versions match.

FYI, it is trivial to change asterisk versions using the FreePBX Distro, I do it several times a week on my dev servers.

This means Asterisk is NOT running

@jfinstrom

Thanks for the quick reply. However, that’s simply impossible. If * was not running, then I wouldn’t be able to make any calls, etc… Plus, on both the GUI and the terminal * shows as running. I am just simply now able to make any calls. Is there any more troubleshooting I can do to show you that * is running? Maybe a log or command you would like me to try? Thanks…

@lgaetz

Thanks for that… I am working on a new server running FreePBX 13 on CentOS 7 as we speak to migrate over. Question: if how much of my config is transferred using the backup and restore module, as far as trunks, extensions, routes, etc? Thanks for the help…

AFAIK, all config gets transferred or should. CDRs, recorded calls, trunk, route, extensions, voicemail, settings, etc. There is an open issue with regard to custom recordings which may have to be transferred manually until it’s fixed.

Good to know :smile:
Thanks.

This actually means that asterisk is running as root and not the aaterisk user. This is why a cli reload works but the gui doesn’t. PIAF was distributing a version that had asterisk running as root for a good month and didn’t seem to think it was a big deal

@tm1000

Woah… that’s not good. Is there a way to change that?

http://pbxinaflash.com/community/index.php?threads/asterisk-runs-as-root.17404/

Though it’s a security issue it was never publicly announced. Leaving users like you in the dark

@tm1000

Thank you for that. I’ll try the steps there when the server is not being used tonight :astonished:… I am more convinced to change to a FreePBX Distro now…

1 Like

The fix is to run the following through terminal:

Tried the fix tonight and it worked! Thanks, @wardmundy :)… Just for reference for anyone else… here’s the code you need to run.

amportal kill chown -R asterisk:asterisk /var/run/asterisk sed -i '/END INIT INFO/a AST_USER="asterisk"\nAST_GROUP="asterisk"' /etc/init.d/asterisk sed -i 's|exit 0|/usr/local/sbin/amportal restart\nexit 0|' /etc/rc.local amportal restart sed -i 's|;runuser|runuser|' /etc/asterisk/asterisk.conf sed -i 's|;rungroup|rungroup|' /etc/asterisk/asterisk.conf reboot

If ‘amportal kill’ does not work, then ‘amportal stop’ should do the trick and continue with the rest of the commands. Hopefully this helps anybody out there :sunglasses:

For the record @gforceco, you’re running Asterisk 12 which is no longer supported. In evaluating the dangers of various distros, you probably should consider the source of the advice and who acknowledged a root exploit of the FreePBX Distro just three short weeks ago. Then ask yourself how that could happen if the FreePBX Distro weren’t running with root user privileges. The difference is that the FreePBX Firewall not only didn’t protect FreePBX, but it was the actual cause of the root compromise. In contrast, the firewall available for PIAF and Incredible PBX runs INDEPENDENTLY of Apache and its web GUI which is generally a good idea when it comes to firewalls. Otherwise, the whole house of cards comes down (as it did) when any single piece fails.

I’ve manually unflagged Ward’s post in this thread.

I should explain that our forum software (Discourse) is highly self-moderating. If your post is flagged (and people can flag it for any reason they want), your post will get hidden until a real human looks at it.

The only way to stop this from happening is to post helpful and useful posts, and have people click on the Like button (the heart). The more hearts you get, the better the forum software treats you, and the more flags you need to get before your post is hidden.

This is one of the (many) awesome things about Discourse, and is why we love it.

I also urge people not to flag posts for ‘Inappropriate’ when they aren’t - this post wasn’t inappropriate, it was just wrong.

Edit: For those that missed it, the Vulnerability was reported and fixed over twitter in the space of about 10 minutes. Here’s the link to the post where I explained what the problem was, and it’s also mentioned in the first and second posts, too.

It’s not like it’s a sky-is-falling issue, it’s a bug, it was responsibly disclosed, and it was fixed. That’s what infosec is all about. We love people reporting bugs.

3 Likes

Please note this exploit was found by a security researcher who was reviewing code with our support and blessing. When calling your stuff secure it is important to “put up or shut up”. When approached by a security researcher who wants to evaluate what you publicly proclaim as secure, you can A: let them and work with them, or B: well there are other ways to deal with them. So yes the exploit was found with our blessing, fixed, announced without any reports of actual compromised systems.

All code has bugs. The point of my post was to note that you were calling out PIAF for running as root. My question went to whether the FreePBX Distro was doing the same. Very difficult to have a root exploit if your code was actually running as the asterisk user. You have again ignored the question. SO… does the FreePBX Firewall running inside the GUI have root privileges or not?? And, if not, how could there possibly be a root exploit because of a firewall bug? Just trying to learn from the masters…

2 posts were merged into an existing topic: Moved Off-topic thread

It’s also answered in full if the link above was followed and someone just did their own research (by following threads and links starting with the one above) ^^

Heres the link, yet again: FreePBX Firewall Thread! (2nd Post has status) - #72 by xrobau

A post was split to a new topic: Moved Off-topic thread

I’ve got the same issue. After running the commands:
fwconsole stop
chown -R asterisk:asterisk /var/run/asterisk
sed -i ‘/END INIT INFO/a AST_USER=“asterisk”\nAST_GROUP=“asterisk”’ /etc/init.d/asterisk
sed -i ‘s|exit 0|/usr/local/sbin/amportal restart\nexit 0|’ /etc/rc.local
fwconsole restart
sed -i ‘s|;runuser|runuser|’ /etc/asterisk/asterisk.conf
sed -i ‘s|;rungroup|rungroup|’ /etc/asterisk/asterisk.conf
reboot

I notice the /var/run/asterisk/asterisk/ctl is set to root:root 755

Any ideas?