I HAVE A DREAM Execute bash inside php

[krzykat]

OK - I'm close - very close to getting auto whitelist of IP using the registration module from phones. I'm gonna show to Ward and let him poke holes in it before disseminating (but it includes using a specific port and using exact DNS name as locks).

I'm stuck though on running the add-ip bash from the p.php file. I keep getting the 126 - which I'm sure is the permissions, as I'm sure its to be run as root user. Anyone (or Ward) have any suggestions?

 

[wardmundy]

@krzykat IPtables requires root permissions for mods/changes. A couple of ways to approach it. You could give the asterisk user root permissions using /etc/sudoers, but that's obviously dangerous at least theoretically. I say that because, if the asterisk user account gets compromised, your server is toast anyway. Another option would be to write the new add-ip address to a text file and then set up a cron job that runs every few minutes to see if the file exists and run a script like add-ip to gobble it up into IPtables.

 

[krzykat]

@krzykat IPtables requires root permissions for mods/changes. A couple of ways to approach it. You could give the asterisk user root permissions using /etc/sudoers, but that's obviously dangerous at least theoretically. I say that because, if the asterisk user account gets compromised, your server is toast anyway. Another option would be to write the new add-ip address to a text file and then set up a cron job that runs every few minutes to see if the file exists and run a script like add-ip to gobble it up into IPtables.

I like option B, that makes a lot of sense. Or, now that you say that, can I go ahead and make another file that IPtables simply calls to add to its list without compromising it's integrity.

 

[wardmundy]

I like option B, that makes a lot of sense. Or, now that you say that, can I go ahead and make another file that IPtables simply calls to add to its list without compromising it's integrity.

I don't know of an IPtables mechanism to do that. You want to be sure the entries go in the right place, and that's essentially what add-ip does.

 

[krzykat]

OK - need a little help here with SUDO. I'm sure I just don't know proper context or something here. added:
asterisk ALL = NOPASSWD: /etc/sysconfig

Then in let's say add-ip2 I have:
sudo -u asterisk cp /etc/sysconfig/iptables/ etc/sysconfig/iptables2

and it doesn't work. What's the proper way to call this to get it to work?

I've got everything working with the exception of this one last piece.

 

[krzykat]

Nevermind - think we got it .... details to follow

 

[krzykat]

It works !!! We can now poke a hole to allow auto-whitelist add if you match a series of 3 password constraints. This can be done by simply having your phone's mac setup in the autoprovision OSS endpoint manager with no user intervention needed. It took forever to get the rights stuff done properly, but we now have it. Just a couple more changes and it'll be passed along to Ward to verify. No more need for travelin-man

 

[wardmundy]

 

[krzykat]

You got mail

 

[jmcguirl]

@krzykat Did you ever get this finished? I would really like to see the code.

 

[krzykat]

Never made it into a module, but Yes, it's working as intended. Let me get a how-to created tomorrow and I'll post it. One thing you need is your phone/device needs to be able to provision via specified port (one of the 3 locks). I've done it with Yealink and Grandstream, but my old Linksys ATA works only with port 80.

 

[omunni]

is the how-to dead or alive? I would very much like to try your idea.
Thanks

 

[jmcguirl]

@krzykat Did you ever post the howto? If so, where?

 

[krzykat]

Hey guys - sorry for the late reply. I hadn't gotten very much in the way of interest or inquiries, so its been on the back burner. It works great, but its never been put into a script. We've expanded it a little bit, and in addition to allowing someone to be added if we know their MAC from the auto-provisioner, we can also add IP's to the whitelist by them submitting a request via HTTP - it asks them for their e-mail, and then we shoot them an e-mail with a verification code. Enter the code, and you get added to whitelist.
The other neat thing is that if someone tries to register for a sip peer from a MAC address other than the one that is on file, an e-mail is sent to the admin letting them know someone is trying to login from a MAC address other than the one assigned.

As I said, glad to tell anyone how to do it, but if (my guess is yes) there are enough people that desire this - please reply and then we'll put it higher on the priority list and bang it out.

 

[wardmundy]

yes. yes.

 

[jerrm]

I'd like to see it.

 

[MGD4me]

Yes, definitely.

 

[omunni]

Yes from me as well ! Please

 

[krzykat]

Workload Backed up because of the Hurricane, and reworking our voicemail plus transcription service. Soon as that's done, and any other fires are put out, this will be worked on.

 

[jmcguirl]

No rush... but I am still very much interested in this. Thank you for your efforts.