Sponsor: VoiceMeUp - Corporate & Wholesale VoIP Services

VoIP Mailing List Archives
Mailing list archives for the VoIP community
 SearchSearch 

[asterisk-users] Access rights between AGI and Web server?


 
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users
View previous topic :: View next topic  
Author Message
vincent.delporte at bi...
Guest





PostPosted: Sun Mar 23, 2008 5:05 am    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Hello

I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

As far as I can tell, Asterisk runs by default as root:wheel. I don't
know if AGI scripts also run as root:wheel.

Lighttpd runs as www:www, and if I create a new SQLite database
through PHP scripts, they're created as www:wheel.

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?

Thank you.
Back to top
bwentdg at pipeline.com
Guest





PostPosted: Sun Mar 23, 2008 7:21 am    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Why are you using "AGI Scripts" to get to MySLQ instead of the MYSQL
add-on package. It seems that would be a hell of a lot more efficient as
well as easier to code.

Please share as I am very very curious about this as I will soon be
facing it on a Large project.
Thx

Vincent wrote:
Quote:
Hello

I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

As far as I can tell, Asterisk runs by default as root:wheel. I don't
know if AGI scripts also run as root:wheel.

Lighttpd runs as www:www, and if I create a new SQLite database
through PHP scripts, they're created as www:wheel.

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?

Thank you.


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users


Back to top
asterisk.org at sedwar...
Guest





PostPosted: Sun Mar 23, 2008 8:34 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Thanks for the top-post Smile

Quote:
Vincent wrote:
Quote:

I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

On Sun, 23 Mar 2008, Al Baker wrote:

Quote:
Why are you using "AGI Scripts" to get to MySLQ instead of the MYSQL
add-on package. It seems that would be a hell of a lot more efficient as
well as easier to code.

SQLite is not the same as MySQL -- that's why they have different names...

Don't discount AGI's (written in C) for performance. Even a wimpy 1.6gHz
Celeron can execute 100 per second.

Quote:
Please share as I am very very curious about this as I will soon be
facing it on a Large project.

Does "large" mean voluminous or complex?. AGI's allow you to "wrap"
complex logic into a single dialplan step. I confess I've never used the
MySQL dialplan interface, but the idea of keeping track of several
(nested) result sets and accumulating values and making decisions sounds
like the place for a "real" language. (He says ducking behind his
collection of H&S and Knuth for protection.)

"Hiding" such details seems like good engineering to me.

Also, when working with "large" projects, I like a compiler that can
complain when I accidentally mung a variable name as I scroll through the
source code in my editor.

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
Back to top
chris.carey at gmail.com
Guest





PostPosted: Sun Mar 23, 2008 8:54 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Quote:

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?


I run the web server and apache both as the user asterisk
Back to top
chris.carey at gmail.com
Guest





PostPosted: Sun Mar 23, 2008 8:55 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Quote:

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?


Correction: I run the web server and asterisk both as the user asterisk
Back to top
asterisk.org at sedwar...
Guest





PostPosted: Sun Mar 23, 2008 9:08 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Sun, 23 Mar 2008, Vincent wrote:

Quote:
I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

As far as I can tell, Asterisk runs by default as root:wheel. I don't
know if AGI scripts also run as root:wheel.

On BSD? On my CentOS box, Asterisk runs as root:root. Since AGI's are
separate processes created by Asterisk, they also run as root:root.

Quote:
Lighttpd runs as www:www, and if I create a new SQLite database
through PHP scripts, they're created as www:wheel.

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?

Since the AGI is already running as root, why can't it access the SQLite
data file?

Try creating /var/lib/asterisk/agi-bin/test containing:

#!/bin/bash

set >/tmp/test

Execute "chmod +x /var/lib/asterisk/agi-bin/test" so it can be executed.
Cobble up a dialplan to execute "agi(test)."

What does

ls -l /tmp/test

look like?

Mine looks like:

-rw-r--r-- 1 root root 623 Mar 23 18:51 /tmp/test

What does

cat /tmp/test

look like?

Mine looks like:

BASH=/bin/bash
BASH_ARGC=()
BASH_ARGV=()
BASH_LINENO=([0]="0")
BASH_SOURCE=([0]="/var/lib/asterisk/agi-bin/test")
BASH_VERSINFO=([0]="3" [1]="00" [2]="15" [3]="1" [4]="release" [5]="i686-redhat-linux-gnu")
BASH_VERSION='3.00.15(1)-release'
DATABASE-DATABASE=
DATABASE-PASSWORD=
DATABASE-SERVER=
DATABASE-USER=
DIRSTACK=()
EUID=0
GROUPS=()
HOST=foo
HOSTNAME=foo.sedwards.com
HOSTTYPE=i686
IFS=$' \t\n'
MACHTYPE=i686-redhat-linux-gnu
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/usr/local/bin/:/bin/
PPID=8435
PS4='+ '
PWD=/tmp
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments
SHLVL=1
TERM=dumb
UID=0
_=/bin/bash

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
Back to top
vincent.delporte at bi...
Guest





PostPosted: Mon Mar 24, 2008 6:50 am    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Sun, 23 Mar 2008 19:55:32 -0600, "Chris Carey"
<chris.carey at gmail.com> wrote:
Quote:
Correction: I run the web server and asterisk both as the user asterisk

I wish I could, but I have no idea how to safely tell Asterisk to run
as www instead of root, as it does now. I assume I'll have to
chmod/chown a bunch of files and directories, but I'd have to know
exactly what to do.
Back to top
Guest






PostPosted: Mon Mar 24, 2008 2:05 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Vincent wrote:
Quote:
Hello

I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

As far as I can tell, Asterisk runs by default as root:wheel. I don't
know if AGI scripts also run as root:wheel.

Lighttpd runs as www:www, and if I create a new SQLite database
through PHP scripts, they're created as www:wheel.

What do you recommend I do so both AGI scripts and PHP scripts can
work with a common SQLite file? Should I run Asterisk as www:www,
www:wheel? Something else?

Thank you.


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

Don't forget that in PHP you have access to chown(), chgrp(), and
chmod() -- You can change the files' permissions or uid/guid just after
you create them.

If the AGIs do run as root:wheel, then there should be no problem,
because they should be able to access the db files?
<?php
$u = posix_getpwuid(posix_getuid());
$g = posix_getgrgid(posix_getgid());
echo "This script is running as ".$u['name'].":".$g['name'];
?>
Back to top
vincent.delporte at bi...
Guest





PostPosted: Mon Mar 24, 2008 2:13 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Mon, 24 Mar 2008 11:05:32 -0800, "Mojo with Horan & Company, LLC"
<mojo at horanappraisals.com> wrote:
Quote:
If the AGIs do run as root:wheel, then there should be no problem,
because they should be able to access the db files?

I agree, but even after uninstalling Lighttpd and installing Apache2,
just to make sure it weren't some security issue that would prevent a
PHP script from writing to files outside the /data directory, I have
the same issue :-/

Quote:
<?php
$u = posix_getpwuid(posix_getuid());
$g = posix_getgrgid(posix_getgid());
echo "This script is running as ".$u['name'].":".$g['name'];
?>

1. Here's the output:

echo exec('id') . "<hr>";
$u = posix_getpwuid(posix_getuid());
$g = posix_getgrgid(posix_getgid());
echo "This script is running as ".$u['name'].":".$g['name'];
=>
uid=80(www) gid=80(www) groups=80(www)
This script is running as www:www

2. The PHP script and the SQLite database are owned by www:www:

[/usr/local/www/apache22/data]# ll
drwxr-xr-x 2 root wheel 512 Mar 24 19:52 .
drwxr-xr-x 6 root wheel 512 Mar 24 18:56 ..
-rw-r--r-- 1 www www 2463 Mar 24 20:00 test.php

[/usr/local/share/asterisk/agi-bin]# ll
drwxr-xr-x 3 root wheel 512 Mar 24 18:38 .
drwxr-xr-x 9 root wheel 512 Mar 14 08:05 ..
-rw-rw-r-- 1 www www 3072 Mar 24 18:37 test.sqlite

3. And here's the code:

//GOOD $dbh = new PDO("sqlite:test.sqlite");
//GOOD $dbh = new PDO("sqlite:/tmp/test.sqlite");
$dbh = new
PDO("sqlite:/usr/local/share/asterisk/agi-bin/test.sqlite");

$time = time();
$current = date("Y-m-d H:i:s",$time);
$sql = "INSERT INTO mytable VALUES (NULL,'$current')";
print "$sql<hr>";
$dbh->exec($sql);

$sql = "SELECT * FROM mytable";
foreach($dbh->query($sql) as $row) {
print $row['name'] . "<p>\n";
}

$dbh = null;

I don't understand why test.php can read, but cannot write.

Thank you.
Back to top
Guest






PostPosted: Mon Mar 24, 2008 3:09 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Vincent wrote:
Quote:
On Mon, 24 Mar 2008 11:05:32 -0800, "Mojo with Horan & Company, LLC"
<mojo at horanappraisals.com> wrote:

Quote:
<?php
$u = posix_getpwuid(posix_getuid());
$g = posix_getgrgid(posix_getgid());
echo "This script is running as ".$u['name'].":".$g['name'];
?>


1. Here's the output:

echo exec('id') . "<hr>";
$u = posix_getpwuid(posix_getuid());
$g = posix_getgrgid(posix_getgid());
echo "This script is running as ".$u['name'].":".$g['name'];
=>
uid=80(www) gid=80(www) groups=80(www)
This script is running as www:www

Now, that was run under a webserver. right? not under asterisk as an
AGI? I thought we were expecting to see root:wheel Smile

I understand that it shouldn't matter WHERE you run it from...

Does -w perms on a dir mean you can't modify files within the dir?
Means you can't CREATE new files in the dir, but you can modify existing
files, right? I guess what I'm wondering is if sqlite does something
like this, to keep the transaction atomic:

1. load test.sqlite to memory
2. add the record
3. dump it to disk in a tmp file, test.sqlite.asdfasdf
4. rm test.sqlite && mv test.sqlite.asdfasdf test.sqlite
So I'm wondering if step 3 is breaking because go-w (and group is wheel)
on agi-bin dir?

Did you follow me?
Moj
Back to top
vincent.delporte at bi...
Guest





PostPosted: Mon Mar 24, 2008 4:09 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Mon, 24 Mar 2008 12:09:00 -0800, "Mojo with Horan & Company, LLC"
<mojo at horanappraisals.com> wrote:
Quote:
Now, that was run under a webserver. right? not under asterisk as an
AGI? I thought we were expecting to see root:wheel Smile

Yup, sorry about: I forgot to say that I use a single SQLite database
to share data between Asterisk and some PHP scripts.

Found what it was: Even if a file is set to 664 and owned by the right
user, the _directory_ in which the file lives has precedence. In this
case, I just chowned it to root:www, and chmoded it to 664:

[/usr/local/share/asterisk/agi-bin]# ll
drwxrwxr-x 3 root www 512 Mar 24 22:05 .
drwxr-xr-x 9 root wheel 512 Mar 14 08:05 ..
-rw-rw-r-- 1 www www 3072 Mar 24 22:05 test.sqlite

Learned something new today. Thanks for the help.
Back to top
Guest






PostPosted: Mon Mar 24, 2008 4:57 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

Glad you got it!

Moj

P.S. This is not typical, right? If I do NOT have write access to a
directory, I can still write to files that already exist in that
directory, as long as I have write access to said files, I think...
Maybe I'm just talking out loud, but it seems like if you had write
access to temp.sqlite, you could do what you need to do, /unless/ sqlite
tries to create a temporary file and mv it over the top of temp.sqlite,
as this would require write access in the directory.

Vincent wrote:
Quote:
On Mon, 24 Mar 2008 12:09:00 -0800, "Mojo with Horan & Company, LLC"
<mojo at horanappraisals.com> wrote:

Quote:
Now, that was run under a webserver. right? not under asterisk as an
AGI? I thought we were expecting to see root:wheel Smile


Yup, sorry about: I forgot to say that I use a single SQLite database
to share data between Asterisk and some PHP scripts.

Found what it was: Even if a file is set to 664 and owned by the right
user, the _directory_ in which the file lives has precedence. In this
case, I just chowned it to root:www, and chmoded it to 664:

[/usr/local/share/asterisk/agi-bin]# ll
drwxrwxr-x 3 root www 512 Mar 24 22:05 .
drwxr-xr-x 9 root wheel 512 Mar 14 08:05 ..
-rw-rw-r-- 1 www www 3072 Mar 24 22:05 test.sqlite

Learned something new today. Thanks for the help.


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Back to top
tzafrir.cohen at xorco...
Guest





PostPosted: Mon Mar 24, 2008 9:27 pm    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Sun, Mar 23, 2008 at 11:05:23AM +0100, Vincent wrote:
Quote:
Hello

I run AGI scripts from extensions.conf to save data into an SQLite
database file, but this file must also be accessible in read-write
mode by PHP scripts served by Lighttpd.

As far as I can tell, Asterisk runs by default as root:wheel. I don't
know if AGI scripts also run as root:wheel.

This is a ptential problem on its own.

Asterisk should run as asterisk:asterisk.

There should be a third group (say, wwwast) that both asterisk and www
should be its members. And you should chown/chmod the directory holding
the sqlite db (and the db itself) to be writable to members of that group.

--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
Back to top
jra at baylink.com
Guest





PostPosted: Wed Mar 26, 2008 9:32 am    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Sun, Mar 23, 2008 at 06:34:01PM -0700, Steve Edwards wrote:
Quote:
Does "large" mean voluminous or complex?. AGI's allow you to "wrap"
complex logic into a single dialplan step. I confess I've never used the
MySQL dialplan interface, but the idea of keeping track of several
(nested) result sets and accumulating values and making decisions sounds
like the place for a "real" language. (He says ducking behind his
collection of H&S and Knuth for protection.)

<chuckle>

Yeah; I'm not all that impressed by Dialplan as a language, myself;
it's horribly reminiscent of, oh, I dunno, RPGIII?

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin)
Back to top
jra at baylink.com
Guest





PostPosted: Wed Mar 26, 2008 9:41 am    Post subject: [asterisk-users] Access rights between AGI and Web server? Reply with quote

On Mon, Mar 24, 2008 at 01:57:53PM -0800, Mojo with Horan & Company, LLC wrote:
Quote:
P.S. This is not typical, right? If I do NOT have write access to a
directory, I can still write to files that already exist in that
directory, as long as I have write access to said files, I think...
Maybe I'm just talking out loud, but it seems like if you had write
access to temp.sqlite, you could do what you need to do, /unless/ sqlite
tries to create a temporary file and mv it over the top of temp.sqlite,
as this would require write access in the directory.

Unix will permit you to write to any already existing file to which you
have write permission, regardless of any permissions on directories in
the tree leading to it.

(I've just tested this on Linux 2.4: /tmp/jra/jra/test is writeable
even though /tmp/jra is mode *0*.)

To *create* a file, you need write permission in the directory in which
you want to create it, but not merely to write or read it.

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin)
Back to top
Display posts from previous:   
Post new topic   Reply to topic    VoIP Mailing List Archives Forum Index -> Asterisk Users All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

VoiceMeUp - Corporate & Wholesale VoIP Services