OK, how about:
- Apache user owns non-active copy of Asterisk config tree
- Upon config commit, apache user does rsync-over-ssh to
asterisk@localhost, using an SSH key that's restricted on the server
side to only run the other half of the rsync command (I'm doing this for
some things, and can provide you with the exact authorized_keys line
prefix if needed)
- Apache user tells asterisk to reload, either via restrictive sudo
access or via another command-restricted SSH key
That way the apache user doesn't have any special permissions, except
to push the config tree and reload Asterisk. (Additionally, you could
limit the files pushed via config, and add sanity checks on the
configuration before reloading.) Furthermore, this model does actually
support splitting out Apache and Asterisk to separate servers
(s/localhost/asterisk-server/).
Any thoughts? :-)
Jima
On 2013-04-05 19:47, S. Dale Morrey wrote:
> Yeah that's not going to happen. This is a public, customer facing
> asterisk box for a use case that exists for the sole purpose of bypassing
> the incumbent telco's exchange to provide discount calling. I'm
> essentially helping them to roll their own telco.
>
> Here in Ecuador you can have a connection of either, WiMax, Microwave (at
> least I'm told that's a microwave antenna on some of the houses), Cable,
> DSL, Satellite, 3G and coming soon local fiber. There are a plethora of
> ISPs and options so internet access is dirt cheap. This also means we
> can't lock the boxen down to any specific IP address or range. We also
> can't place the box behind a NAT or a subnet.
>
> This particular webinterface is for folks to pay their phone bill on.
> Everyone needs to be able to connect to this box no matter where they're
> from. So we implemented TLS & ZRTP to secure the connection and then
> fail2ban to blacklist IP's after n failed login attempts (currently n is 5,
> but that could change).
>
> Ideally I would have liked to have had a different design where there is an
> asterisk box, a billing box, a webserver and a DB server all on seperate
> boxes.
> I was unable to make this configuration or anything like it work with
> A2Billing despite 4 solid 18 hour days trying.
>
> In fact it seems A2Billing insists on sitting on the asterisk box itself,
> although I was able to push the DB onto it's own box and it seems happy
> with that.
> For that many hours I probably could have written my own stack, but part of
> the point was to enable the locals to run it once I'm gone.
>
> Nevertheless, I now have a webserver sitting on top of a SIP server. As
> far as I can tell I am stuck with this configuration, and I need to lock
> this down as much as possible, while still providing relevant access to
> admins, resellers and individual customers.
>
> Thus the original question about who should be in who's group. Thanks for
> the help guys!
>
>
> On Fri, Apr 5, 2013 at 8:17 PM, Steve Alligood <[email protected]>wrote:
>
>> Not a problem if you lock down apache to specific IPs :)
>>
>> In fact, there are enough sip vulnerabilities from time to time that I put
>> the phones themselves on either a private network (or controlled public
>> netowork) or give them dyndns set ups and have a script auto update the
>> iptables rules to those DNA names.
>>
>> -Steve
>>
>> On Apr 5, 2013, at 7:02 PM, "S. Dale Morrey" <[email protected]>
>> wrote:
>>
>>> You know, that's a very good question that I've never explored. Can
>> anyone
>>> chime in on that for me? Also is there a security problem with letting
>>> Apache own the config files for Asterisk?
>>>
>>>
>>> On Fri, Apr 5, 2013 at 7:29 PM, Jima <[email protected]> wrote:
>>>
>>>> On 2013-04-05 18:06, S. Dale Morrey wrote:
>>>>> Hey Pluggers,
>>>>>
>>>>> I've got a quick best practices question for you.
>>>>>
>>>>> I have asterisk installed and running as the asterisk user and apache
>>>>> installed and running as the apache user.
>>>>>
>>>>> I've got a new web interface that needs to execute some scripts to
>> modify
>>>>> asterisk dialplans, tell asterisk to reload itself, etc.
>>>>>
>>>>> Would it be best to add asterisk to the apache group, apache to the
>>>>> asterisk group, both of the above or something else?
>>>>
>>>> Is there a reason Asterisk needs to be able to write to the tree? As
>>>> long as it can read the configuration files, you don't really need to
>>>> muck around with group ownership. Personally, I'd just grant the apache
>>>> user the ability to reload Asterisk via sudo, and let it own the
>> configs.
>>>>
>>>> Jima
>>>>
>>>>
>>>>
>>
>> /*
>> PLUG: http://plug.org, #utah on irc.freenode.net
>> Unsubscribe: http://plug.org/mailman/options/plug
>> Don't fear the penguin.
>> */
>>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
