Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem

Hi, Well, with one of my colleagues, we did some research and test, but we don’t find where the privilege issue is with the /var/ FS. If the fifo filename is "/var/run/kamailio/kamailio_rpc_fifo" or "/var/run/kamailio_rpc_fifo", we have this privilege issue. I thought that the following declaration would prevent this security issue : modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME) modparam("jsonrpcs", "fifo_mode", 0755) modparam("jsonrpcs", "fifo_group", "kamailio") modparam("jsonrpcs", "fifo_user", "kamailio") but it is not the case. For the moment only the fifo filename “/tmp/kamailio_rpc_fifo" is valid for kamailio to start. Cordialement Patrick GINHOUX *De :*Ginhoux, Patrick *Envoyé :* lundi 27 mars 2017 17:46 *À :* &#39;miconda(a)gmail.com&#39; &lt;miconda(a)gmail.com&gt;om>; Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.sip-router.org&gt; *Objet :* RE: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem Hi, I continue to investigate on this area. I’m thinking that there are some security settings on the FS /var/, and I’m looking for if we have the rights to change it (I work for a project and don’t have all the ability to change some settings without agreement). I’ll update you later tomorrow. Cordialement Patrick GINHOUX *De :*Daniel-Constantin Mierla [mailto:miconda@gmail.com] *Envoyé :* lundi 27 mars 2017 15:28 *À :* Ginhoux, Patrick &lt;patrick.ginhoux(a)fr.unisys.com <mailto:patrick.ginhoux@fr.unisys.com>>; Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org>> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem Hello, as recently as last week, someone encountered an file access problem while installing Siremis, which is using also some temporary files in /var/, even it was granting provileges via chown and chmod. All went fine after disabling selinux. It was on a centos. I am not saying it is the same, but it could, so try without centos to see if the issue persists. Cheers, Daniel On 27/03/2017 15:10, Ginhoux, Patrick wrote: Hi, This is the RHEL 7.1 distro, and there is use of selinux, apparmor or other tools. Are you meaning that the /var/run/ folder would be secured more than other folders? Cordialement Patrick GINHOUX *De :*sr-users [mailto:sr-users-bounces@lists.sip-router.org] *De la part de* Daniel-Constantin Mierla *Envoyé :* lundi 27 mars 2017 13:52 *À :* Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.sip-router.org&gt; <mailto:sr-users@lists.sip-router.org> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem Hello, kamailio should attempt to create the /var/run/kamailio folder if the application is run with enough privileges. However, some operating systems add more constraints on top of the execution user. What is your OS distro? Do you have selinux, apparmor or other similar tools enabled? Cheers, Daniel On 24/03/2017 17:52, Ginhoux, Patrick wrote: In my ‘kamctlrc’ file : ## path to FIFO file for engine RPCFIFO RPCFIFOPATH="/var/run/kamailio/kamailio_rpc_fifo" #RPCFIFOPATH="/tmp/kamailio_rpc_fifo" In my ‘kamailio.cfg’ : !!ifndef DEFINE_FIFO_NAME !!define DEFINE_FIFO_NAME "/var/run/kamailio/kamailio_rpc_fifo" !!endif modparam("jsonrpcs", "pretty_format", 1) modparam("jsonrpcs", "transport", 2) modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME) modparam("jsonrpcs", "fifo_mode", 0755) modparam("jsonrpcs", "fifo_group", "kamailio") modparam("jsonrpcs", "fifo_user", "kamailio") kamailio doesn’t start. It reports ‘Permission denied’ : Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: ERROR: jsonrpcs [jsonrpcs_fifo.c:144]: jsonrpc_init_fifo_server(): Can't create FIFO: Permission denied (mode=493) Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: CRITICAL: jsonrpcs [jsonrpcs_fifo.c:489]: jsonrpc_fifo_process(): failed to init jsonrpc fifo server Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ALERT: <core> [main.c:741]: handle_sigs(): child process 1138 exited normally, status=255 Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG: <core> [core/sr_module.c:920]: init_mod_child(): rank 4: tm Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG: <core> [core/sr_module.c:920]: init_mod_child(): rank -1: tm Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG: htable [htable.c:226]: child_init(): rank is (1) Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: INFO: <core> [main.c:759]: handle_sigs(): terminating due to SIGCHLD Mar 24 17:31:21 localhost /usr/sbin/kamailio[1139]: DEBUG: <core> [core/sr_module.c:920]: init_mod_child(): rank -2: kex Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG: tm [callid.c:137]: child_init_callid(): callid: &#39;15b1f0d63a718465-1130(a)129.227.83.108 <mailto:15b1f0d63a718465-1130@129.227.83.108>' Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG: tm [callid.c:137]: child_init_callid(): callid: &#39;15b1f0d63a718465-1137(a)129.227.83.108 <mailto:15b1f0d63a718465-1137@129.227.83.108>' Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG: <core> [core/action.c:1656]: run_child_one_init_route(): attempting to run event_route[core:worker-one-init] Mar 24 17:31:21 localhost /usr/sbin/kamailio[1136]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1135]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1134]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1133]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1132]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1131]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1129]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1128]: INFO: <core> [main.c:814]: sig_usr(): signal 15 received Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR: ctl [ctl.c:387]: mod_destroy(): ERROR: ctl: could not delete unix socket /var/run/kamailio//kamailio_ctl: Permission denied (13) Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR: jsonrpcs [jsonrpcs_fifo.c:595]: jsonrpc_fifo_destroy(): FIFO stat failed: Permission denied If I replace the values in the 2 files as appropriate : In the ‘kamctlrc” toRPCFIFOPATH="/tmp/kamailio_rpc_fifo" In the ‘kamailio.cfg” to!!define DEFINE_FIFO_NAME "/tmp/kamailio_rpc_fifo" Then kamailo starts : [root@vm-vse02-siprouter1 ~]# ps -ef |grep kam kamailio 1235 1 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1236 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1237 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1238 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1239 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1240 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1241 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1242 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1243 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1244 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1245 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1246 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1247 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio kamailio 1248 1235 0 17:37 ? 00:00:00 /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 -u kamailio -g kamailio root 1251 1165 0 17:37 pts/0 00:00:00 grep --color=auto kam and I can get result from kamctl/kamcmd commands : [root@vm-vse02-siprouter1 ~]# kamctl dispatcher dump which: no gdb in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/) { "jsonrpc": "2.0", "result": { "NRSETS": 1, "RECORDS": [{ "SET": { "ID": 1, "TARGETS": [{ "DEST": { "URI": "sip:cs1-tool-misc.orange-voicemail.net:5060" <sip:cs1-tool-misc.orange-voicemail.net:5060>, "FLAGS": "AP", "PRIORITY": 0 } }] } }] }, "id": 1301 } [root@vm-vse02-siprouter1 ~]# kamcmd dispatcher.list { NRSETS: 1 RECORDS: { SET: { ID: 1 TARGETS: { DEST: { URI: sip:cs1-tool-misc.orange-voicemail.net:5060 FLAGS: AP PRIORITY: 0 } } } } } Now, if I change the fifo patch and name to “/var/run/kamailio/kamailio_rpc_fifo’ and apply the following rights on /var/run/ to: chmod 755 kamalio/ chown + kamailio:kamailio kamailio/ then kamailio starts. Is there a reason for these results ? Thanks in advance for your answer. Cordialement Patrick GINHOUX _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org <mailto:sr-users@lists.sip-router.org> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com> -- Daniel-Constantin Mierla www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>