Problems with current implementation of freePBX in Elastix

Problems with current implementation of freePBX in Elastix It’s messy. Here, look at this default installation: [root@erlang asterisk]# ls a2billing.conf features_featuremap_custom.conf phpagi.conf additional_a2billing_iax.conf features_general_additional.conf privacy.conf additional_a2billing_sip.conf features_general_custom.conf queues_additional.conf adsi.conf festival.conf queues.conf adtranvofr.conf followme.conf queues.conf.rpmnew agents.conf freepbx_featurecodes.conf queues_custom.conf alarmreceiver.conf freepbx_module_admin.conf queues_custom_general.conf alsa.conf func_odbc.conf queues_general_additional.conf amd.conf globals_custom.conf queues_post_custom.conf applications.conf gtalk.conf res_mysql.conf asterisk.adsi h323.conf res_mysql.conf.sample asterisk.conf http.conf res_odbc.conf asterisk.conf.rpmnew iax_additional.conf res_pgsql.conf cdr.conf iax.conf res_snmp.conf cdr_custom.conf iax.conf.old_freePBX-2.4.0-12 rpt.conf cdr_manager.conf iax.conf.old_freePBX-2.4.0-13 rtp.conf cdr_mysql.conf iax.conf.old_freePBX-2.5.1-11rc say.conf cdr_mysql.conf.bak iax.conf.old_freePBX-2.5.2-2rc sip_additional.conf cdr_mysql.conf.sample iax.conf.rpmnew sip.conf cdr_odbc.conf iax_custom.conf sip.conf.old_freePBX-2.4.0-12 cdr_pgsql.conf iax_custom_post.conf sip.conf.old_freePBX-2.4.0-13 cdr_tds.conf iax_general_additional.conf sip.conf.old_freePBX-2.5.1-11rc chan_dahdi_additional.conf iax_general_custom.conf sip.conf.old_freePBX-2.5.2-2rc We have *.bak file, .sampl, .0, sip.conf.old_freePBX-2.4.0-13 and other goodies. It seems like something is not cleainnig up on upgrades. Another thing not seen here is that some files are actually linked from /etc/asterisk/ to /var/www/html/admin… [root@erlang asterisk]# ls -l iax.conf.old_freePBX-2.4.0-13 lrwxrwxrwx 1 asterisk asterisk 45 Mar 28 12:14 iax.conf.old_freePBX-2.4.0-13 -> /var/www/html/admin/modules/core/etc/iax.conf There is no engineering reason for this symbolic link. Same problem happens for AGI files: [root@erlang asterisk]# ls /var/lib/asterisk/bin/* /var/lib/asterisk/bin/ /var/lib/asterisk/bin/ /var/lib/asterisk/bin/ /var/lib/asterisk/bin/ /var/lib/asterisk/bin/ This is an inherent problem of freePBX – instead of using the native package management system of the distribution, they invented their own package management, which is clearly doing a bad job. RPM, dpkg, pacman et al, can do a better job. Logical problems There is no way of querying for modified files. Lets assume a customer calls you and describes that his system is not working properly. You assume someone “hacked” the machine and modified files. You cannot see which files have been modified. However, this seems to be a global problem within Elastix as a product, for example apache is properly packaged, and the elastix GUI RPM has it’s problems. See what “bash” outputs. [root@elastix ~]# rpm -qV bash [root@elastix ~]# rpm -qV httpd S.5....T c /etc/httpd/conf/httpd.conf [root@elastix ~]# rpm -qV freepbx package freepbx is not installed [root@elastix ~]# rpm -qV elastix S.5....T c /etc/dahdi/genconf_parameters missing /usr/share/elastix/CentOS-Base.repo missing /usr/share/elastix/sudoers missing /usr/share/elastix/virtual.db .M...... /var/lib/asterisk/agi-bin .M...... /var/lib/asterisk/agi-bin/ .M...... /var/lib/asterisk/agi-bin/ .M...... /var/lib/asterisk/agi-bin/imap.agi .M...... /var/lib/asterisk/agi-bin/intervenir.agi .M...... /var/lib/asterisk/agi-bin/nv-weather.php .M...... /var/lib/asterisk/agi-bin/wakeconfirm.agi .M...... /var/lib/asterisk/agi-bin/wakeup.php .M...... /var/lib/asterisk/agi-bin/weather.agi .M...... /var/lib/asterisk/mohmp3 .M...... /var/lib/asterisk/mohmp3/fpm-calm-river.wav .M...... /var/lib/asterisk/mohmp3/fpm-sunshine.wav .M...... /var/lib/asterisk/mohmp3/fpm-world-mix.wav S.5....T c /var/www/db/acl.db ..5....T c /var/www/db/menu.db ..5....T c /var/www/db/samples.db ..5....T c /var/www/db/settings.db S.5....T /var/www/html/robots.txt [root@elastix ~]# Technological/security problems One of the biggest problems in packaging web applications, is that many times the web applications need write access to the webroot. IMHO, this is a huge security hole which should be removed: the webroot should be owned by root, without write acess to anyone else but root. However, freePBX demands write access to the Asterisk directory. The configuration files work in such way that there are known “hooks” for the GUI and for the user specially crafted in the configuration files. For this reason the configuration files cannot be treated as configuration but code – they are to be managed only bu the packager/developer and the user cannot modify them. Any solution that will try to solve ths problem will have to threat the configuration files with same respect as code – this is not something that the user CAN modify. As a work around for this issue in Elastix and Trixbox, they changed the user which runs the apache2 server from www-data to asterisk – and thus escalating the security issue. Most of these problems can be addressed, if someone does take under consideration those issues. The biggest problem is that currently “no one is looking into this”.

Share Button

כתיבת תגובה

האימייל לא יוצג באתר. שדות החובה מסומנים *