[SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem

Daniel-Constantin Mierla miconda at gmail.com
Mon Apr 3 14:56:00 CEST 2017


Hello,

how do you start Kamailio? Via init.d/systemd script?

Cheers,
Daniel


On 03.04.17 14:34, Ginhoux, Patrick wrote:
>
> Hi,
>
>  
>
> Selinux is disabled.
>
>  
>
> Cordialement
>
> Patrick GINHOUX
>
>  
>
> *De :*Daniel-Constantin Mierla [mailto:miconda at gmail.com]
> *Envoyé :* lundi 3 avril 2017 14:33
> *À :* Ginhoux, Patrick <patrick.ginhoux at fr.unisys.com>; Kamailio (SER)
> - Users Mailing List <sr-users at lists.sip-router.org>
> *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem
>
>  
>
> Hello,
>
> have you disabled selinux to see if starts ok without it?
>
> Cheers,
> Daniel
>
>  
>
> On 03.04.17 13:54, Ginhoux, Patrick wrote:
>
>     Hi,
>
>      
>
>     Well, with one of my colleagues, we did some research and test,
>     but we don’t find where the privilege issue is with the /var/ FS.
>
>     If the fifo filename is "/var/run/kamailio/kamailio_rpc_fifo" or
>     "/var/run/kamailio_rpc_fifo", we have this privilege issue.
>
>     I thought that the following declaration would prevent this
>     security issue :
>
>     modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME)
>
>     modparam("jsonrpcs", "fifo_mode", 0755)
>
>     modparam("jsonrpcs", "fifo_group", "kamailio")
>
>     modparam("jsonrpcs", "fifo_user", "kamailio")
>
>     but it is not the case.
>
>      
>
>     For the moment only the fifo filename “/tmp/kamailio_rpc_fifo" is
>     valid for kamailio to start.
>
>      
>
>      
>
>     Cordialement
>
>     Patrick GINHOUX
>
>      
>
>     *De :*Ginhoux, Patrick
>     *Envoyé :* lundi 27 mars 2017 17:46
>     *À :* 'miconda at gmail.com <mailto:miconda at gmail.com>'
>     <miconda at gmail.com> <mailto:miconda at gmail.com>; Kamailio (SER) -
>     Users Mailing List <sr-users at lists.sip-router.org>
>     <mailto:sr-users at lists.sip-router.org>
>     *Objet :* RE: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings
>     problem
>
>      
>
>     Hi,
>
>      
>
>     I continue to investigate on this area.
>
>      
>
>     I’m thinking that there are some security settings on the FS
>     /var/, and I’m looking for if we have the rights to change it (I
>     work for a project and don’t have all the ability to change some
>     settings without agreement).
>
>      
>
>     I’ll update you later tomorrow.
>
>      
>
>     Cordialement
>
>     Patrick GINHOUX
>
>      
>
>     *De :*Daniel-Constantin Mierla [mailto:miconda at gmail.com]
>     *Envoyé :* lundi 27 mars 2017 15:28
>     *À :* Ginhoux, Patrick <patrick.ginhoux at fr.unisys.com
>     <mailto:patrick.ginhoux at fr.unisys.com>>; Kamailio (SER) - Users
>     Mailing List <sr-users at lists.sip-router.org
>     <mailto:sr-users at lists.sip-router.org>>
>     *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings
>     problem
>
>      
>
>     Hello,
>
>     as recently as last week, someone encountered an file access
>     problem while installing Siremis, which is using also some
>     temporary files in /var/, even it was granting provileges via
>     chown and chmod. All went fine after disabling selinux. It was on
>     a centos.
>
>     I am not saying it is the same, but it could, so try without
>     centos to see if the issue persists.
>
>     Cheers,
>     Daniel
>
>      
>
>     On 27/03/2017 15:10, Ginhoux, Patrick wrote:
>
>         Hi,
>
>          
>
>         This is the RHEL 7.1 distro, and there is use of selinux,
>         apparmor or other tools.             
>
>          
>
>         Are you meaning that the /var/run/ folder would be secured
>         more than other folders?
>
>          
>
>         Cordialement
>
>         Patrick GINHOUX
>
>          
>
>         *De :*sr-users [mailto:sr-users-bounces at lists.sip-router.org]
>         *De la part de* Daniel-Constantin Mierla
>         *Envoyé :* lundi 27 mars 2017 13:52
>         *À :* Kamailio (SER) - Users Mailing List
>         <sr-users at lists.sip-router.org>
>         <mailto:sr-users at lists.sip-router.org>
>         *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME
>         settings problem
>
>          
>
>         Hello,
>
>         kamailio should attempt to create the /var/run/kamailio folder
>         if the application is run with enough privileges. However,
>         some operating systems add more constraints on top of the
>         execution user.
>
>         What is your OS distro? Do you have selinux, apparmor or other
>         similar tools enabled?
>
>         Cheers,
>         Daniel
>
>          
>
>         On 24/03/2017 17:52, Ginhoux, Patrick wrote:
>
>             In my ‘kamctlrc’ file :
>
>              
>
>             ## path to FIFO file for engine RPCFIFO
>
>             RPCFIFOPATH="/var/run/kamailio/kamailio_rpc_fifo"
>
>             #RPCFIFOPATH="/tmp/kamailio_rpc_fifo"
>
>              
>
>             In my ‘kamailio.cfg’ :
>
>              
>
>             !!ifndef DEFINE_FIFO_NAME
>
>             !!define DEFINE_FIFO_NAME
>             "/var/run/kamailio/kamailio_rpc_fifo"
>
>             !!endif  
>
>              
>
>              
>
>             modparam("jsonrpcs", "pretty_format", 1)
>
>             modparam("jsonrpcs", "transport", 2)
>
>             modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME)
>
>             modparam("jsonrpcs", "fifo_mode", 0755)
>
>             modparam("jsonrpcs", "fifo_group", "kamailio")
>
>             modparam("jsonrpcs", "fifo_user", "kamailio")
>
>              
>
>              
>
>             kamailio doesn’t start. It reports ‘Permission denied’ :
>
>              
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: ERROR:
>             jsonrpcs [jsonrpcs_fifo.c:144]:
>             jsonrpc_init_fifo_server(): Can't create FIFO: Permission
>             denied (mode=493)
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]:
>             CRITICAL: jsonrpcs [jsonrpcs_fifo.c:489]:
>             jsonrpc_fifo_process(): failed to init jsonrpc fifo server
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ALERT:
>             <core> [main.c:741]: handle_sigs(): child process 1138
>             exited normally, status=255
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG:
>             <core> [core/sr_module.c:920]: init_mod_child(): rank 4: tm
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG:
>             <core> [core/sr_module.c:920]: init_mod_child(): rank -1: tm
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG:
>             htable [htable.c:226]: child_init(): rank is (1)
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: INFO:
>             <core> [main.c:759]: handle_sigs(): terminating due to SIGCHLD
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1139]: DEBUG:
>             <core> [core/sr_module.c:920]: init_mod_child(): rank -2: kex
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG:
>             tm [callid.c:137]: child_init_callid(): callid:
>             '15b1f0d63a718465-1130 at 129.227.83.108
>             <mailto:15b1f0d63a718465-1130 at 129.227.83.108>'
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG:
>             tm [callid.c:137]: child_init_callid(): callid:
>             '15b1f0d63a718465-1137 at 129.227.83.108
>             <mailto:15b1f0d63a718465-1137 at 129.227.83.108>'
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG:
>             <core> [core/action.c:1656]: run_child_one_init_route():
>             attempting to run event_route[core:worker-one-init]
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1136]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1135]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1134]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1133]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1132]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1131]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1129]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1128]: INFO:
>             <core> [main.c:814]: sig_usr(): signal 15 received
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR:
>             ctl [ctl.c:387]: mod_destroy(): ERROR: ctl: could not
>             delete unix socket /var/run/kamailio//kamailio_ctl:
>             Permission denied (13)
>
>             Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR:
>             jsonrpcs [jsonrpcs_fifo.c:595]: jsonrpc_fifo_destroy():
>             FIFO stat failed: Permission denied
>
>              
>
>             If I replace the values in the 2 files as appropriate :
>
>              
>
>             In the ‘kamctlrc” toRPCFIFOPATH="/tmp/kamailio_rpc_fifo"
>
>              
>
>             In the ‘kamailio.cfg” to!!define DEFINE_FIFO_NAME
>             "/tmp/kamailio_rpc_fifo"
>
>              
>
>             Then kamailo starts :
>
>              
>
>             [root at vm-vse02-siprouter1 ~]# ps -ef |grep kam
>
>             kamailio  1235     1  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1236  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1237  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1238  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1239  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1240  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1241  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1242  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1243  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1244  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1245  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1246  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1247  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             kamailio  1248  1235  0 17:37 ?        00:00:00
>             /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8
>             -u kamailio -g kamailio
>
>             root      1251  1165  0 17:37 pts/0    00:00:00 grep
>             --color=auto kam
>
>              
>
>             and I can get result from kamctl/kamcmd commands :
>
>             [root at vm-vse02-siprouter1 ~]# kamctl dispatcher dump
>
>             which: no gdb in
>             (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/)
>
>             {
>
>               "jsonrpc":  "2.0",
>
>               "result": {
>
>                 "NRSETS": 1,
>
>                 "RECORDS":  [{
>
>                     "SET":  {
>
>                       "ID": 1,
>
>                       "TARGETS":  [{
>
>                           "DEST": {
>
>                             "URI": 
>             "sip:cs1-tool-misc.orange-voicemail.net:5060"
>             <sip:cs1-tool-misc.orange-voicemail.net:5060>,
>
>                             "FLAGS":  "AP",
>
>                             "PRIORITY": 0
>
>                           }
>
>                         }]
>
>                     }
>
>                   }]
>
>               },
>
>               "id": 1301
>
>             }
>
>             [root at vm-vse02-siprouter1 ~]# kamcmd dispatcher.list
>
>             {
>
>                     NRSETS: 1
>
>                     RECORDS: {
>
>                             SET: {
>
>                                     ID: 1
>
>                                     TARGETS: {
>
>                                             DEST: {
>
>                                                     URI:
>             sip:cs1-tool-misc.orange-voicemail.net:5060
>
>                                                     FLAGS: AP
>
>                                                     PRIORITY: 0
>
>                                             }
>
>                                     }
>
>                             }
>
>                     }
>
>             }
>
>              
>
>              
>
>             Now, if I change the fifo patch and name to
>             “/var/run/kamailio/kamailio_rpc_fifo’ and apply the
>             following rights on /var/run/  to:
>
>              
>
>             chmod 755 kamalio/
>
>             chown + kamailio:kamailio kamailio/
>
>              
>
>             then kamailio starts.
>
>              
>
>             Is there a reason for these results ?
>
>              
>
>             Thanks in advance for your answer.
>
>              
>
>             Cordialement
>
>             Patrick GINHOUX
>
>              
>
>
>
>
>
>             _______________________________________________
>
>             SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>
>             sr-users at lists.sip-router.org
>             <mailto:sr-users at lists.sip-router.org>
>
>             http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
>
>
>         -- 
>
>         Daniel-Constantin Mierla
>
>         www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>
>         Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com>
>
>         Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>
>
>      
>
>     -- 
>
>     Daniel-Constantin Mierla
>
>     www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>
>     Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com <http://www.asipto.com>
>
>     Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>
>
>
>
> -- 
> Daniel-Constantin Mierla
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com <http://www.asipto.com>
> Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com <http://www.kamailioworld.com>

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com
Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20170403/4e596933/attachment.html>


More information about the sr-users mailing list