[SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem
Daniel-Constantin Mierla
miconda at gmail.com
Mon Apr 3 14:56:00 CEST 2017
Hello,
how do you start Kamailio? Via init.d/systemd script?
Cheers,
Daniel
On 03.04.17 14:34, Ginhoux, Patrick wrote:
>
> Hi,
>
>
>
> Selinux is disabled.
>
>
>
> Cordialement
>
> Patrick GINHOUX
>
>
>
> *De :*Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> *Envoyé :* lundi 3 avril 2017 14:33
> *À :* Ginhoux, Patrick <patrick.ginhoux at fr.unisys.com>; Kamailio (SER)
> - Users Mailing List <sr-users at lists.sip-router.org>
> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem
>
>
>
> Hello,
>
> have you disabled selinux to see if starts ok without it?
>
> Cheers,
> Daniel
>
>
>
> On 03.04.17 13:54, Ginhoux, Patrick wrote:
>
> Hi,
>
>
>
> Well, with one of my colleagues, we did some research and test,
> but we don’t find where the privilege issue is with the /var/ FS.
>
> If the fifo filename is "/var/run/kamailio/kamailio_rpc_fifo" or
> "/var/run/kamailio_rpc_fifo", we have this privilege issue.
>
> I thought that the following declaration would prevent this
> security issue :
>
> modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME)
>
> modparam("jsonrpcs", "fifo_mode", 0755)
>
> modparam("jsonrpcs", "fifo_group", "kamailio")
>
> modparam("jsonrpcs", "fifo_user", "kamailio")
>
> but it is not the case.
>
>
>
> For the moment only the fifo filename “/tmp/kamailio_rpc_fifo" is
> valid for kamailio to start.
>
>
>
>
>
> Cordialement
>
> Patrick GINHOUX
>
>
>
> *De :*Ginhoux, Patrick
> *Envoyé :* lundi 27 mars 2017 17:46
> *À :* 'miconda at gmail.com <mailto:miconda at gmail.com>'
> <miconda at gmail.com> <mailto:miconda at gmail.com>; Kamailio (SER) -
> Users Mailing List <sr-users at lists.sip-router.org>
> <mailto:sr-users at lists.sip-router.org>
> *Objet :* RE: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings
> problem
>
>
>
> Hi,
>
>
>
> I continue to investigate on this area.
>
>
>
> I’m thinking that there are some security settings on the FS
> /var/, and I’m looking for if we have the rights to change it (I
> work for a project and don’t have all the ability to change some
> settings without agreement).
>
>
>
> I’ll update you later tomorrow.
>
>
>
> Cordialement
>
> Patrick GINHOUX
>
>
>
> *De :*Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> *Envoyé :* lundi 27 mars 2017 15:28
> *À :* Ginhoux, Patrick <patrick.ginhoux at fr.unisys.com
> <mailto:patrick.ginhoux at fr.unisys.com>>; Kamailio (SER) - Users
> Mailing List <sr-users at lists.sip-router.org
> <mailto:sr-users at lists.sip-router.org>>
> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings
> problem
>
>
>
> Hello,
>
> as recently as last week, someone encountered an file access
> problem while installing Siremis, which is using also some
> temporary files in /var/, even it was granting provileges via
> chown and chmod. All went fine after disabling selinux. It was on
> a centos.
>
> I am not saying it is the same, but it could, so try without
> centos to see if the issue persists.
>
> Cheers,
> Daniel
>
>
>
> On 27/03/2017 15:10, Ginhoux, Patrick wrote:
>
> Hi,
>
>
>
> This is the RHEL 7.1 distro, and there is use of selinux,
> apparmor or other tools.
>
>
>
> Are you meaning that the /var/run/ folder would be secured
> more than other folders?
>
>
>
> Cordialement
>
> Patrick GINHOUX
>
>
>
> *De :*sr-users [mailto:sr-users-bounces at lists.sip-router.org]
> *De la part de* Daniel-Constantin Mierla
> *Envoyé :* lundi 27 mars 2017 13:52
> *À :* Kamailio (SER) - Users Mailing List
> <sr-users at lists.sip-router.org>
> <mailto:sr-users at lists.sip-router.org>
> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME
> settings problem
>
>
>
> Hello,
>
> kamailio should attempt to create the /var/run/kamailio folder
> if the application is run with enough privileges. However,
> some operating systems add more constraints on top of the
> execution user.
>
> What is your OS distro? Do you have selinux, apparmor or other
> similar tools enabled?
>
> Cheers,
> Daniel
>
>
>
> On 24/03/2017 17:52, Ginhoux, Patrick wrote:
>
> In my ‘kamctlrc’ file :
>
>
>
> ## path to FIFO file for engine RPCFIFO
>
> RPCFIFOPATH="/var/run/kamailio/kamailio_rpc_fifo"
>
> #RPCFIFOPATH="/tmp/kamailio_rpc_fifo"
>
>
>
> In my ‘kamailio.cfg’ :
>
>
>
> !!ifndef DEFINE_FIFO_NAME
>
> !!define DEFINE_FIFO_NAME
> "/var/run/kamailio/kamailio_rpc_fifo"
>
> !!endif
>
>
>
>
>
> modparam("jsonrpcs", "pretty_format", 1)
>
> modparam("jsonrpcs", "transport", 2)
>
> modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME)
>
> modparam("jsonrpcs", "fifo_mode", 0755)
>
> modparam("jsonrpcs", "fifo_group", "kamailio")
>
> modparam("jsonrpcs", "fifo_user", "kamailio")
>
>
>
>
>
> kamailio doesn’t start. It reports ‘Permission denied’ :
>
>
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: ERROR:
> jsonrpcs [jsonrpcs_fifo.c:144]:
> jsonrpc_init_fifo_server(): Can't create FIFO: Permission
> denied (mode=493)
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]:
> CRITICAL: jsonrpcs [jsonrpcs_fifo.c:489]:
> jsonrpc_fifo_process(): failed to init jsonrpc fifo server
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ALERT:
> <core> [main.c:741]: handle_sigs(): child process 1138
> exited normally, status=255
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG:
> <core> [core/sr_module.c:920]: init_mod_child(): rank 4: tm
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG:
> <core> [core/sr_module.c:920]: init_mod_child(): rank -1: tm
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG:
> htable [htable.c:226]: child_init(): rank is (1)
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: INFO:
> <core> [main.c:759]: handle_sigs(): terminating due to SIGCHLD
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1139]: DEBUG:
> <core> [core/sr_module.c:920]: init_mod_child(): rank -2: kex
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG:
> tm [callid.c:137]: child_init_callid(): callid:
> '15b1f0d63a718465-1130 at 129.227.83.108
> <mailto:15b1f0d63a718465-1130 at 129.227.83.108>'
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG:
> tm [callid.c:137]: child_init_callid(): callid:
> '15b1f0d63a718465-1137 at 129.227.83.108
> <mailto:15b1f0d63a718465-1137 at 129.227.83.108>'
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG:
> <core> [core/action.c:1656]: run_child_one_init_route():
> attempting to run event_route[core:worker-one-init]
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1136]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1135]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1134]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1133]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1132]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1131]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1129]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1128]: INFO:
> <core> [main.c:814]: sig_usr(): signal 15 received
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR:
> ctl [ctl.c:387]: mod_destroy(): ERROR: ctl: could not
> delete unix socket /var/run/kamailio//kamailio_ctl:
> Permission denied (13)
>
> Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR:
> jsonrpcs [jsonrpcs_fifo.c:595]: jsonrpc_fifo_destroy():
> FIFO stat failed: Permission denied
>
>
>
> If I replace the values in the 2 files as appropriate :
>
>
>
> In the ‘kamctlrc” toRPCFIFOPATH="/tmp/kamailio_rpc_fifo"
>
>
>
> In the ‘kamailio.cfg” to!!define DEFINE_FIFO_NAME
> "/tmp/kamailio_rpc_fifo"
>
>
>
> Then kamailo starts :
>
>
>
> [root at vm-vse02-siprouter1 ~]# ps -ef |grep kam
>
> kamailio 1235 1 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1236 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1237 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1238 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1239 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1240 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1241 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1242 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1243 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1244 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1245 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1246 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1247 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> kamailio 1248 1235 0 17:37 ? 00:00:00
> /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
> -u kamailio -g kamailio
>
> root 1251 1165 0 17:37 pts/0 00:00:00 grep
> --color=auto kam
>
>
>
> and I can get result from kamctl/kamcmd commands :
>
> [root at vm-vse02-siprouter1 ~]# kamctl dispatcher dump
>
> which: no gdb in
> (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/)
>
> {
>
> "jsonrpc": "2.0",
>
> "result": {
>
> "NRSETS": 1,
>
> "RECORDS": [{
>
> "SET": {
>
> "ID": 1,
>
> "TARGETS": [{
>
> "DEST": {
>
> "URI":
> "sip:cs1-tool-misc.orange-voicemail.net:5060"
> <sip:cs1-tool-misc.orange-voicemail.net:5060>,
>
> "FLAGS": "AP",
>
> "PRIORITY": 0
>
> }
>
> }]
>
> }
>
> }]
>
> },
>
> "id": 1301
>
> }
>
> [root at vm-vse02-siprouter1 ~]# kamcmd dispatcher.list
>
> {
>
> NRSETS: 1
>
> RECORDS: {
>
> SET: {
>
> ID: 1
>
> TARGETS: {
>
> DEST: {
>
> URI:
> sip:cs1-tool-misc.orange-voicemail.net:5060
>
> FLAGS: AP
>
> PRIORITY: 0
>
> }
>
> }
>
> }
>
> }
>
> }
>
>
>
>
>
> Now, if I change the fifo patch and name to
> “/var/run/kamailio/kamailio_rpc_fifo’ and apply the
> following rights on /var/run/ to:
>
>
>
> chmod 755 kamalio/
>
> chown + kamailio:kamailio kamailio/
>
>
>
> then kamailio starts.
>
>
>
> Is there a reason for these results ?
>
>
>
> Thanks in advance for your answer.
>
>
>
> Cordialement
>
> Patrick GINHOUX
>
>
>
>
>
>
>
> _______________________________________________
>
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>
> sr-users at lists.sip-router.org
> <mailto:sr-users at lists.sip-router.org>
>
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
> --
>
> Daniel-Constantin Mierla
>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>
> Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com>
>
> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>
>
>
>
> --
>
> Daniel-Constantin Mierla
>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>
> Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com>
>
> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>
>
>
>
> --
> Daniel-Constantin Mierla
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com <http://www.asipto.com>
> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>
--
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com
Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20170403/4e596933/attachment.html>
More information about the sr-users
mailing list