Hi On Thu, Feb 24, 2005 at 11:41:41AM +0100, Hecken, Guido wrote: > >Secondly, is the statement no.2 a line a need to change in a given file? > You have to change/verify some settings in phpconfig_init.php . > Look for fakeuser=admin. > Set $reset_cmd = "./asterisk.reload"; > Be shure, the script has write access in /etc/asterisk > Have something in your sudoers file (/etc/sudoers) like > apache ALL=(ALL) NOPASSWD: ALL
Why not simply run apache as root and be done with that? Adding the following line to sudoers makes apache root-equivalent. Any attacher that is able to compromise apache gets your whole server. > to allow apache execute system commands like asterisk -r -x 'restart now' > > Another important file is the manager.conf in /etc/asterisk > [general] > enabled = yes > port = 5038 > bindaddr = 0.0.0.0 > > [admin] > secret = secret > permit = 192.168.0.0/255.255.255.0 > read = system,call,log,verbose,command,agent,user > write = system,call,log,verbose,command,agent,user > > With these settings enabled, it should work. > Be aware, this is not a secure solution since allowing apache to execute > system-commands, and using the asterisk-web-dir (/var/www/html/asterisk) > without any further security actions like .htaccess file should only be used > in trusted environments like intranets. Furthermore: anyone who can add arbitrary entries to your dialplan can use System to make apache run an arbitrary command. If you run asterisk as root (which you shouldn't) this gives the attacker a convinent root shell access. If not: it will only give the attacker the opportunity to run an arbitrary command as the asterisk user. If you want to edit an arbiterary config file, use ssh. It is a well-tested, well understood and well-supported environment. Either edit directoly from the shell (you can't really bit vim ;-) ), or use an external X server and a more comfortable editor, or simply edit files via sftp. > We can live with these restrictions. In the meanwhile we 're testing and > evaluating the complete asterisk configuration from within mysql. Not much better, security-wise. I figure that the password to a mysql account with ability to write to the config (and specifically to the dialplan) will be availble in a certain location. So apache still has the ability to change the dialplan. Consider using su-exec (and php in cgi) to run the configuration interface as the user asterisk or a special user. -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | Space reserved for other protocols | friend _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
