Ticket #5211 (closed Bugs: fixed)

Opened 2 years ago

Last modified 2 years ago

Permissions of amportal.conf and freepbx.conf

Reported by: Lantizia Assigned to: p_lindheimer
Priority: major Milestone: 2.10
Component: Installation Version: 2.9-branch
Keywords: others mode chown chmod write read passwords Cc:
Confirmation: Unreviewed Distro:
Backend Engine: All Distro Ver:
Backend Ver: SVN Revision (if applicable):

Description

Once an installation of 2.9 is complete (fresh install) we see this... 

root@otenew:/etc# ls -lah amportal.conf freepbx.conf
-rw-rw-r-- 1 asterisk asterisk 5.4K Jun  8 09:51 amportal.conf
-rw-rw-r-- 1 asterisk asterisk  296 Jun  8 09:52 freepbx.conf

The needed change to freepbx_engine is this... 

diff freepbx_engine_orig freepbx_engine
158,161c158,161
< 	chown -R $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP /etc/amportal.conf
< 	chown -R $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP $FREEPBX_CONF
< 	chmod g+w /etc/amportal.conf
< 	chmod g+w $FREEPBX_CONF
---
> 	chown $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP /etc/amportal.conf
> 	chown $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP $FREEPBX_CONF
> 	chmod o-r /etc/amportal.conf
> 	chmod o-r $FREEPBX_CONF

This will ultimately lead to those two files being on mode 640 thus preventing anyone other than asterisk (or whomever $AMPASTERISKWEBUSER is) or root from being able to read sensitive data such as most critically the freepbx database credentials or things like ARI/FOP passwords.

And yeah... also the change removes making the files recursively owned (what the hell?) and making the file group writeable, which is pointless given the group is the same as the user which has read/write access.

Change History

06/08/11 05:24:27 changed by Lantizia

I would also personally swap to explicitly stating the mode needed rather than removing/adding attributes as then you don't need to worry what mode it is currently set to by previous versions by adding/removing attributes to get the desired result.

06/09/11 19:08:06 changed by p_lindheimer

  • status changed from new to closed.
  • resolution set to fixed.

(In [12229]) fixes #5211 make amportal.conf and freepbx.conf 640 permission

09/20/11 18:39:03 changed by p_lindheimer

(In [12549]) Merged revisions 12168,12170,12172,12183,12205,12221,12226-12229,12231,12235,12237,12250,12321,12357,12363,12467,12476,12529 via svnmerge from http://www.freepbx.org/v2/svn/freepbx/branches/2.9

........

r12168 | GameGamer?43 | 2011-05-19 15:49:56 -0700 (Thu, 19 May 2011) | 1 line

closes #5160 - goes back to how things where done prior to r12066 with the exception that utility.functions.php is included where bootstrap-utility.functions.php used to be

........

r12170 | p_lindheimer | 2011-05-20 08:26:04 -0700 (Fri, 20 May 2011) | 1 line

remove 2.9.0.md5 checksum to regenerate 2.9.0 tag

........

r12172 | p_lindheimer | 2011-05-20 08:28:23 -0700 (Fri, 20 May 2011) | 1 line

Creating release 2.9.0

........

r12183 | p_lindheimer | 2011-05-20 16:32:04 -0700 (Fri, 20 May 2011) | 1 line

fixes #5138 make restrict_mods local and also detect and skip bootstrap if already called

........

r12205 | p_lindheimer | 2011-06-03 09:10:17 -0700 (Fri, 03 Jun 2011) | 1 line

fixed #5194 fix logic flaw so agi scripts can be copied after first module install

........

r12221 | mbrevda | 2011-06-07 08:32:39 -0700 (Tue, 07 Jun 2011) | 1 line

re #5209, write_freepbx should use AMPDBNAME for the db name, not AMPENGINE.

........

r12226 | p_lindheimer | 2011-06-09 15:23:24 -0700 (Thu, 09 Jun 2011) | 1 line

fixes #5217 don't return stripped version of xml to Module Admin

........

r12227 | p_lindheimer | 2011-06-09 15:29:41 -0700 (Thu, 09 Jun 2011) | 1 line

point to 2.9 modules re #5221 - need to rebuild tarball before closing

........

r12228 | p_lindheimer | 2011-06-09 15:53:54 -0700 (Thu, 09 Jun 2011) | 1 line

fixes #5212 if ASTAGIDIR is defined, chown even if it's already been done above through ASTVARLIBDIR...

........

r12229 | p_lindheimer | 2011-06-09 16:08:05 -0700 (Thu, 09 Jun 2011) | 1 line

fixes #5211 make amportal.conf and freepbx.conf 640 permission

........

r12231 | p_lindheimer | 2011-06-11 10:40:16 -0700 (Sat, 11 Jun 2011) | 1 line

closes #5226 include fw_ari and fw_fop in tarball

........

r12235 | p_lindheimer | 2011-06-11 12:17:07 -0700 (Sat, 11 Jun 2011) | 1 line

remove md5 hashes in preperation for re-generating 2.9.0 tarball because of 2.8 modules re #5221

........

r12237 | p_lindheimer | 2011-06-11 12:19:09 -0700 (Sat, 11 Jun 2011) | 1 line

Creating release 2.9.0

........

r12250 | p_lindheimer | 2011-06-11 12:25:01 -0700 (Sat, 11 Jun 2011) | 1 line

special case fw_ari and fw_fop during install_amp as framework re #5227

........

r12321 | mickecarlsson | 2011-07-26 07:43:52 -0700 (Tue, 26 Jul 2011) | 1 line

Closes #5280 revert some of r11047.

........

r12357 | xrobau | 2011-08-04 14:30:20 -0700 (Thu, 04 Aug 2011) | 1 line

Minor fixes for installer, and add the ability to symlink any asterisk path to elsewhere, and it'll still work.

........

r12363 | mickecarlsson | 2011-08-07 12:47:11 -0700 (Sun, 07 Aug 2011) | 1 line

Updated amp.pot for 2.9, should have been submitted a long time ago

........

r12467 | GameGamer?43 | 2011-08-30 15:43:20 -0700 (Tue, 30 Aug 2011) | 1 line

check if the readlink is valid before trying to chown & chmod directories to avoid displaying errors in the event the directories are not there or the user sets this to something else which isnt valid

........

r12476 | mickecarlsson | 2011-09-02 08:52:19 -0700 (Fri, 02 Sep 2011) | 1 line

Close #5348, updated Russian language. Thank you ded

........

r12529 | mickecarlsson | 2011-09-18 02:26:52 -0700 (Sun, 18 Sep 2011) | 1 line

Close #5352, double quotes in string for Advanced Settings should be single quotes and the string itself should be in double quotes.

........