Polycoms can't write to freepbx tftpboot/logs dir


(BGM) #1

We are using TFTP with EPM and Polycom phones.
The Polycom phones can’t write their log files to the logs folder.
Funny thing is that the phones will write to the log file if I manually create the log file first.

This is how my basefile looks:
LOG_FILE_DIRECTORY="/logs/"

The permissions for the /tftpboot/logs/ folder is:
drwxrwxrwx 2 asterisk asterisk 4096 Jan 19 19:15 logs

iptables are disabled.

How do I fix this?


(TheJames) #2

This is because the server is not given the -c option. This may have some security implications. Feel free to open up a feature request. You could change this yourself but it may get nuked on an update


(BGM) #3

Thanks for the answer! You mean to give a -c option to the tftp server?
I found a thread talking about that here, too.

I’ll do it and open the feature request to go with it in the mean time.

It make sense - I have the same problem with the polycom mac-directory.xml files - they can’t create them; they can only edit them I put them there myself.

[update]
So I set the option for service tftp to:
server_args = -s -c /tftpboot
and restarted the xinetd service; but it still doesn’t create the log file in /tftpboot/logs
selinux is disabled.

Here is my /etc/xinetd.d/tftp file:

service tftp
{
    disable    = no
    socket_type        = dgram
    protocol        = udp
    wait            = yes
    user            = root
    server            = /usr/sbin/in.tftpd
    server_args        = -s -c /tftpboot
    per_source        = 11
    cps            = 100 2
    flags            = IPv4
}

Do I need to add asterisk as a user somehow?

Is it necessary to run in.tftpd separately and not in xinet.d like it says at the bottom of this thread?


(BGM) #4

I think I solved this.
The polycoms have a default FTP username and password.
Once I removed this, they were able to write back to the tftp directory.


(BGM) #5

In the end, I did
chown 777
on the tftpboot folder, and all phones began to write their logs to the server.


(BGM) #6

Okay, this worked for a while, then it stopped working. Now they are back to not writing to the log directory.

When I watch the messages tail for the tftp directory, I can see they are getting “Permission Denied”.

What else can I do?


#7

your tftpd needs -c (create) as a server option add -vv and watch /var/log/messages


(BGM) #8

Thanks, but I did that a long time ago:

When I chmod 777 the tftpboot folder, it seems like when I commit changes in FreePBX that it changes the folder permissions back. Maybe there’s a setting I’m lacking somewhere?

I am watching the messages tail and WRQs are getting permission denied.


#9

I would spend my efforts on deploying a safer method, tftp is plain dangerous. Polycoms are very happy with https (but you will still need to give write permission to asterisk on the directory)


(Tom Ray) #10

So is setting the directories and files to 777 because that means anything can be uploaded and then executed if they can figure out that the same directory is accessible via HTTP/HTTPS with no password and can run the scripts they updated via tftp.


(BGM) #11

I agree; I just wanted to make sure they could actually do it before I proceeded. I would like to continue using tftp as I have for over a decade, but I’ll change the permissions so they cannot execute.