Hello, how do you start Kamailio? Via init.d/systemd script?
Cheers, Daniel On 03.04.17 14:34, Ginhoux, Patrick wrote: > > Hi, > > > > Selinux is disabled. > > > > Cordialement > > Patrick GINHOUX > > > > *De :*Daniel-Constantin Mierla [mailto:mico...@gmail.com] > *Envoyé :* lundi 3 avril 2017 14:33 > *À :* Ginhoux, Patrick <patrick.ginh...@fr.unisys.com>; Kamailio (SER) > - Users Mailing List <sr-users@lists.sip-router.org> > *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings problem > > > > Hello, > > have you disabled selinux to see if starts ok without it? > > Cheers, > Daniel > > > > On 03.04.17 13:54, Ginhoux, Patrick wrote: > > Hi, > > > > Well, with one of my colleagues, we did some research and test, > but we don’t find where the privilege issue is with the /var/ FS. > > If the fifo filename is "/var/run/kamailio/kamailio_rpc_fifo" or > "/var/run/kamailio_rpc_fifo", we have this privilege issue. > > I thought that the following declaration would prevent this > security issue : > > modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME) > > modparam("jsonrpcs", "fifo_mode", 0755) > > modparam("jsonrpcs", "fifo_group", "kamailio") > > modparam("jsonrpcs", "fifo_user", "kamailio") > > but it is not the case. > > > > For the moment only the fifo filename “/tmp/kamailio_rpc_fifo" is > valid for kamailio to start. > > > > > > Cordialement > > Patrick GINHOUX > > > > *De :*Ginhoux, Patrick > *Envoyé :* lundi 27 mars 2017 17:46 > *À :* 'mico...@gmail.com <mailto:mico...@gmail.com>' > <mico...@gmail.com> <mailto:mico...@gmail.com>; Kamailio (SER) - > Users Mailing List <sr-users@lists.sip-router.org> > <mailto:sr-users@lists.sip-router.org> > *Objet :* RE: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings > problem > > > > Hi, > > > > I continue to investigate on this area. > > > > I’m thinking that there are some security settings on the FS > /var/, and I’m looking for if we have the rights to change it (I > work for a project and don’t have all the ability to change some > settings without agreement). > > > > I’ll update you later tomorrow. > > > > Cordialement > > Patrick GINHOUX > > > > *De :*Daniel-Constantin Mierla [mailto:mico...@gmail.com] > *Envoyé :* lundi 27 mars 2017 15:28 > *À :* Ginhoux, Patrick <patrick.ginh...@fr.unisys.com > <mailto:patrick.ginh...@fr.unisys.com>>; Kamailio (SER) - Users > Mailing List <sr-users@lists.sip-router.org > <mailto:sr-users@lists.sip-router.org>> > *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME settings > problem > > > > Hello, > > as recently as last week, someone encountered an file access > problem while installing Siremis, which is using also some > temporary files in /var/, even it was granting provileges via > chown and chmod. All went fine after disabling selinux. It was on > a centos. > > I am not saying it is the same, but it could, so try without > centos to see if the issue persists. > > Cheers, > Daniel > > > > On 27/03/2017 15:10, Ginhoux, Patrick wrote: > > Hi, > > > > This is the RHEL 7.1 distro, and there is use of selinux, > apparmor or other tools. > > > > Are you meaning that the /var/run/ folder would be secured > more than other folders? > > > > Cordialement > > Patrick GINHOUX > > > > *De :*sr-users [mailto:sr-users-boun...@lists.sip-router.org] > *De la part de* Daniel-Constantin Mierla > *Envoyé :* lundi 27 mars 2017 13:52 > *À :* Kamailio (SER) - Users Mailing List > <sr-users@lists.sip-router.org> > <mailto:sr-users@lists.sip-router.org> > *Objet :* Re: [SR-Users] RPCFIFOPATH / DEFINE_FIFO_NAME > settings problem > > > > Hello, > > kamailio should attempt to create the /var/run/kamailio folder > if the application is run with enough privileges. However, > some operating systems add more constraints on top of the > execution user. > > What is your OS distro? Do you have selinux, apparmor or other > similar tools enabled? > > Cheers, > Daniel > > > > On 24/03/2017 17:52, Ginhoux, Patrick wrote: > > In my ‘kamctlrc’ file : > > > > ## path to FIFO file for engine RPCFIFO > > RPCFIFOPATH="/var/run/kamailio/kamailio_rpc_fifo" > > #RPCFIFOPATH="/tmp/kamailio_rpc_fifo" > > > > In my ‘kamailio.cfg’ : > > > > !!ifndef DEFINE_FIFO_NAME > > !!define DEFINE_FIFO_NAME > "/var/run/kamailio/kamailio_rpc_fifo" > > !!endif > > > > > > modparam("jsonrpcs", "pretty_format", 1) > > modparam("jsonrpcs", "transport", 2) > > modparam("jsonrpcs", "fifo_name", DEFINE_FIFO_NAME) > > modparam("jsonrpcs", "fifo_mode", 0755) > > modparam("jsonrpcs", "fifo_group", "kamailio") > > modparam("jsonrpcs", "fifo_user", "kamailio") > > > > > > kamailio doesn’t start. It reports ‘Permission denied’ : > > > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: ERROR: > jsonrpcs [jsonrpcs_fifo.c:144]: > jsonrpc_init_fifo_server(): Can't create FIFO: Permission > denied (mode=493) > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1138]: > CRITICAL: jsonrpcs [jsonrpcs_fifo.c:489]: > jsonrpc_fifo_process(): failed to init jsonrpc fifo server > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ALERT: > <core> [main.c:741]: handle_sigs(): child process 1138 > exited normally, status=255 > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG: > <core> [core/sr_module.c:920]: init_mod_child(): rank 4: tm > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG: > <core> [core/sr_module.c:920]: init_mod_child(): rank -1: tm > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG: > htable [htable.c:226]: child_init(): rank is (1) > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: INFO: > <core> [main.c:759]: handle_sigs(): terminating due to SIGCHLD > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1139]: DEBUG: > <core> [core/sr_module.c:920]: init_mod_child(): rank -2: kex > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1130]: DEBUG: > tm [callid.c:137]: child_init_callid(): callid: > '15b1f0d63a718465-1130@129.227.83.108 > <mailto:15b1f0d63a718465-1130@129.227.83.108>' > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1137]: DEBUG: > tm [callid.c:137]: child_init_callid(): callid: > '15b1f0d63a718465-1137@129.227.83.108 > <mailto:15b1f0d63a718465-1137@129.227.83.108>' > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1127]: DEBUG: > <core> [core/action.c:1656]: run_child_one_init_route(): > attempting to run event_route[core:worker-one-init] > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1136]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1135]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1134]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1133]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1132]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1131]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1129]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1128]: INFO: > <core> [main.c:814]: sig_usr(): signal 15 received > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR: > ctl [ctl.c:387]: mod_destroy(): ERROR: ctl: could not > delete unix socket /var/run/kamailio//kamailio_ctl: > Permission denied (13) > > Mar 24 17:31:21 localhost /usr/sbin/kamailio[1120]: ERROR: > jsonrpcs [jsonrpcs_fifo.c:595]: jsonrpc_fifo_destroy(): > FIFO stat failed: Permission denied > > > > If I replace the values in the 2 files as appropriate : > > > > In the ‘kamctlrc” toRPCFIFOPATH="/tmp/kamailio_rpc_fifo" > > > > In the ‘kamailio.cfg” to!!define DEFINE_FIFO_NAME > "/tmp/kamailio_rpc_fifo" > > > > Then kamailo starts : > > > > [root@vm-vse02-siprouter1 ~]# ps -ef |grep kam > > kamailio 1235 1 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1236 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1237 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1238 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1239 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1240 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1241 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1242 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1243 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1244 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1245 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1246 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1247 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > kamailio 1248 1235 0 17:37 ? 00:00:00 > /usr/sbin/kamailio -P /var/run/kamailio.pid -m 1024 -M 8 > -u kamailio -g kamailio > > root 1251 1165 0 17:37 pts/0 00:00:00 grep > --color=auto kam > > > > and I can get result from kamctl/kamcmd commands : > > [root@vm-vse02-siprouter1 ~]# kamctl dispatcher dump > > which: no gdb in > (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/) > > { > > "jsonrpc": "2.0", > > "result": { > > "NRSETS": 1, > > "RECORDS": [{ > > "SET": { > > "ID": 1, > > "TARGETS": [{ > > "DEST": { > > "URI": > "sip:cs1-tool-misc.orange-voicemail.net:5060" > <sip:cs1-tool-misc.orange-voicemail.net:5060>, > > "FLAGS": "AP", > > "PRIORITY": 0 > > } > > }] > > } > > }] > > }, > > "id": 1301 > > } > > [root@vm-vse02-siprouter1 ~]# kamcmd dispatcher.list > > { > > NRSETS: 1 > > RECORDS: { > > SET: { > > ID: 1 > > TARGETS: { > > DEST: { > > URI: > sip:cs1-tool-misc.orange-voicemail.net:5060 > > FLAGS: AP > > PRIORITY: 0 > > } > > } > > } > > } > > } > > > > > > Now, if I change the fifo patch and name to > “/var/run/kamailio/kamailio_rpc_fifo’ and apply the > following rights on /var/run/ to: > > > > chmod 755 kamalio/ > > chown + kamailio:kamailio kamailio/ > > > > then kamailio starts. > > > > Is there a reason for these results ? > > > > Thanks in advance for your answer. > > > > Cordialement > > Patrick GINHOUX > > > > > > > > _______________________________________________ > > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users > mailing list > > sr-users@lists.sip-router.org > <mailto:sr-users@lists.sip-router.org> > > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > > > -- > > Daniel-Constantin Mierla > > www.twitter.com/miconda <http://www.twitter.com/miconda> -- > www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> > > Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - > www.asipto.com <http://www.asipto.com> > > Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com > <http://www.kamailioworld.com> > > > > -- > > Daniel-Constantin Mierla > > www.twitter.com/miconda <http://www.twitter.com/miconda> -- > www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> > > Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - > www.asipto.com <http://www.asipto.com> > > Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com > <http://www.kamailioworld.com> > > > > -- > Daniel-Constantin Mierla > www.twitter.com/miconda <http://www.twitter.com/miconda> -- > www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> > Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com > <http://www.asipto.com> > Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com > <http://www.kamailioworld.com> -- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - May 22-24 (USA) - www.asipto.com Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users