I’m attempting to write a custom module to edit openvpn config files, which of course, are owned by root, I have not as of yet attempted to write the files but I’m wondering what, if anything, needs to be done to insure that the module WILL in fact be able to write the files (client and server config files for openvpn) and be able to restart the openvpn process upon the user submitting changes and clicking apply?
-Andy
It doesn’t. File must be writable by the apache user via user or group permission
Ok so the scenario is this, I am wanting to make the module install the config files in /etc/openvpn as well as add entries to the /etc/crontab but am at a loss as to how to accomplish this task without making the end user have to login to the console and sudo the commands for obvious reasons many users are not comfortable with the console…
One example module is in the sysadmin module where you’re able to change fail2ban config file jail.local, i just looked on my test system, jail.local has root user and group ownership, with -rw-r–r-- permissions yet the module is able to make changes to the file? I have not studied the code of that module thoroughly yet, and in reality i do not need my module to directly edit a root owned file, but I’m thinking if the module installer can install a crontab entry that periodically checks another, apache owned file for changes, then could copy the changes to the /etc/openvpn root owned files then restart the openvpn process… just not wanting to reinvent the wheel if there is (obviously) already a mechanism in place to get this accomplished.
-Andy
look into adding incron entries (man incron and then incrontab -e) and scripts to suit, it will allow such an escalation by derivation, be careful though it can allow everything if you add root entries !!
Still up researching this lol… as an alternative, and probably more secure arrangement, i’m now looking at how I could run openvpn as the asterisk user, it really only needs root privileges for initial turn up, then later tear down of the tun/tap interfaces… I delved into the sysadmin module some more but alas, the code is obsfucated! GRRRR… don’t blame them since there is a sysadmin pro module, but still… throw a guy a bone here developers, not trying to compete! My module is actually for use as a way to keep from opening holes in the firewalls of my customers i make the box vpn to me 
Would like this modular for ease of install by underlings so i don’t have to go console on each and every box, and tbh I don’t trust the underlings going to console on a regular basis… the ones that know console level usually cost too much thus killing profit margin from the client LOL
Adding anything to the asterisk user’s priviliges is probably not a good idea, you probably have your webserver running with those privileges already, as a developer, think about that please, you want to run a secure service under an intrinsically insecure user account ? what could possibly go wrong there ? 
looking at incrond wouldn’t i still have to install the underlying root privileged portions as root, from the console, including the root privileged cron jobs? It’s really beginning to look like this is an exercise in futility and I’m just going to have to continue to install that portion manually on each and every system ?
look at the extant incron stuff to see how sysadmin does it. .‘Source for the goose is source for the gander’ (please forgive my misquote )
I believe I more or less get the gist of what incron does, but unless I’m either a) too tired, or b) just missing it somehow, there still is the problem of getting the root side of things installed via a module in the freepbx module loader… probably a) at this point LOL
you simply write to a file that your apache user can, monitor that file for changes and incron will execute any script that you want, it can avail itself of course of the content of that file you wrote/updated the user permissions on that script are divorced from your apache users one., it is run with the priviliges of the incron user chosen , its as simple as that, and in the man page.
Ok so the scenario is this, I am wanting to make the module install the config files in /etc/openvpn as well as add entries to the /etc/crontab but am at a loss as to how to accomplish this task without making the end user have to login to the console and sudo the commands for obvious reasons many users are not comfortable with the console…