FreePBX | Register | Issues | Wiki | Portal | Support

SSH as non-root user


(Mat Phillips) #1

I’d prefer not to connect to FreePBX as root, so I made a regular user account and added it to the wheel group so it can use sudo. All that works, but there are errors when connecting:

Last login: 
PHP Warning:  include_once(/etc/asterisk/freepbx.conf): failed to open stream: Permission denied in /var/lib/asterisk/bin/fwconsole on line 13
PHP Warning:  include_once(): Failed opening '/etc/asterisk/freepbx.conf' for inclusion (include_path='.:/usr/share/pear:/usr/share/php') in /var/lib/asterisk/bin/fwconsole on line 13
PHP Fatal error:  Class 'Symfony\Component\Console\Application' not found in /var/www/html/admin/libraries/FWApplication.class.php on line 11

and it can’t connect to asterisk either:

$ asterisk -r
Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

I’d normally just fix this by changing permissions or whatever, I’d expect some of that to be undone by the update scripts, so what’s the correct way to allow a new user to connect in this way?
Thanks.


(Matthew Fearnley) #2

I would also like to be able to create a non-root user to use for SSH.

I had a similar error to above. I found my /etc/freepbx.conf only had rw permissions (660) for asterisk.asterisk. I tried adding my user to the asterisk group, but got different errors instead:

Whoops\Exception\ErrorException: chown(): Operation not permitted in file /var/www/html/admin/modules/cxpanel/functions.inc.php on line 45
Stack trace:
  1. Whoops\Exception\ErrorException->() /var/www/html/admin/modules/cxpanel/functions.inc.php:45
  2. Whoops\Run->handleError() :0
  3. chown() /var/www/html/admin/modules/cxpanel/functions.inc.php:45
  4. require_once() /var/www/html/admin/bootstrap.php:382
  5. require_once() /etc/freepbx.conf:9
  6. include_once() /var/lib/asterisk/bin/fwconsole:12

(TheJames) #3

you can create or connect as any user but most CLI operations will need to be run with sudo or sudo -u asterisk


#4

Our SSH setup does not allow root connections. We SSH into the system as a non-root user and get the above error (which we ignore). Then we switch to root and everything works as it should and the error goes away.


(Dave Burgess) #5

Standard Unix wisdom implies that you may be able to add your ‘non-root’ users to the “asterisk” group in the /etc/group file and avoid the error. When you add your users, if you make their default group “asterisk”, you should also be able to avoid this altogether.


(Matthew Fearnley) #6

Hi. I didn’t realise users had a default group…
Having reordered my groups though, I still get the above error:

Whoops\Exception\ErrorException: chown(): Operation not permitted in file /var/www/html/admin/modules/cxpanel/functions.inc.php on line 45

Lines 45-46 of the above file read:

chown($amp_conf['AMPWEBROOT'] . "/admin/modules/cxpanel/main.log", $amp_conf['AMPASTERISKUSER']);
chgrp($amp_conf['AMPWEBROOT'] . "/admin/modules/cxpanel/main.log", $amp_conf['AMPASTERISKGROUP']);

Assuming AMPWEBROOT is ‘/var/www/html/’, the main.log file already exists and is owned by asterisk.asterisk (775).


(Matthew Fearnley) #7

After a little reading, I understand that only root can change the ownership of files.

I commented out the above lines (a better, more permanent workaround would be to put them in an if block of some sort). It got much further, and printed all of the appropriate text, but threw an exception at the end:
_____ ____ ______ __
| | __ ___ | _ | __ ) / /
| |
| '
/ _ / _ \ |
) | _ \ /
| || | | __/ __/ __/| |) /
|
| |
| _|_|| |__//_\

NOTICE! You have 8 notifications! Please log into the UI to see them!

Current Network Configuration
+-----------+-------------------+-------------------------+
| Interface | MAC Address       | IP Addresses            |
+-----------+-------------------+-------------------------+
#...
+-----------+-------------------+-------------------------+

Please note most tasks should be handled through the GUI.
You can access the GUI by typing one of the above IPs in to your web browser.
For support please visit:
    http://www.freepbx.org/support-and-professional-services

PHP Fatal error:  Uncaught exception 'Exception' with message 'Don't have permission/can't write to: /etc/asterisk/keys' in /var/www/html/admin/libraries/BMO/PKCS.class.php:487
Stack trace:
#0 /var/www/html/admin/libraries/BMO/PKCS.class.php(549): FreePBX\PKCS->getKeysLocation()
#1 /var/www/html/admin/libraries/BMO/PKCS.class.php(53): FreePBX\PKCS->checkPermissions()
#2 [internal function]: FreePBX\PKCS->__destruct()
#3 {main}
  thrown in /var/www/html/admin/libraries/BMO/PKCS.class.php on line 487

I get the feeling that it’s not designed to allow non-root users to log in?

EDIT: I fixed the above exception by just giving group write permissions to /etc/asterisk/keys.


(Riccardo Venturini) #8

I’d fixed the login error by modifying one line in the script /etc/profile.d/motd.sh line 18:

#[ "$SU" ] && $SU "$FWCONSOLE motd" || $FWCONSOLE motd
[ "$SU" ] && $SU "$FWCONSOLE motd"