git:master:8f3d76e9: corex: rpc command to print shm status report to file based on filter
Module: kamailio Branch: master Commit: 8f3d76e9808024bff1d816acddeb81667e1df0d2 URL: https://github.com/kamailio/kamailio/commit/8f3d76e9808024bff1d816acddeb8166...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: 2023-10-09T13:51:47+02:00
corex: rpc command to print shm status report to file based on filter
---
Modified: src/modules/corex/corex_rpc_shm.c
---
Diff: https://github.com/kamailio/kamailio/commit/8f3d76e9808024bff1d816acddeb8166... Patch: https://github.com/kamailio/kamailio/commit/8f3d76e9808024bff1d816acddeb8166...
---
diff --git a/src/modules/corex/corex_rpc_shm.c b/src/modules/corex/corex_rpc_shm.c index 6230f1b129d..02fa08f8a36 100644 --- a/src/modules/corex/corex_rpc_shm.c +++ b/src/modules/corex/corex_rpc_shm.c @@ -115,13 +115,41 @@ static void corex_rpc_shm_report(rpc_t *rpc, void *ctx) mrep.min_used_frag_line); }
+/*clang-format off*/ +static const char *corex_rpc_shm_rprint_doc[2] = { + "Print shm status report to file matching the filter", 0}; +/*clang-format on*/ + +/* + * RPC command to print the shm status report + */ +static void corex_rpc_shm_rprint(rpc_t *rpc, void *ctx) +{ + char *fname = NULL; + str fmatch = STR_NULL; + FILE *fp = NULL; + + if(rpc->scan(ctx, "ss", &fname, &fmatch) < 2) { + rpc->fault(ctx, 400, "Filename and filter not provided"); + return; + } + fp = fopen(fname, "w"); + if(fp == NULL) { + LM_ERR("cannot open file: %s\n", fname); + rpc->fault(ctx, 500, "Cannot open file"); + return; + } + shm_status_filter(&fmatch, fp); + fclose(fp); +} + /*clang-format off*/ rpc_export_t corex_rpc_shm_cmds[] = { - {"shm.info", corex_rpc_shm_info, corex_rpc_shm_info_doc, 0}, - {"shm.report", corex_rpc_shm_report, corex_rpc_shm_report_doc, 0}, - {"shm.stats", corex_rpc_shm_stats, corex_rpc_shm_stats_doc, 0}, - {0, 0, 0, 0} -}; + {"shm.info", corex_rpc_shm_info, corex_rpc_shm_info_doc, 0}, + {"shm.report", corex_rpc_shm_report, corex_rpc_shm_report_doc, 0}, + {"shm.stats", corex_rpc_shm_stats, corex_rpc_shm_stats_doc, 0}, + {"shm.rprint", corex_rpc_shm_rprint, corex_rpc_shm_rprint_doc, 0}, + {0, 0, 0, 0}}; /*clang-format on*/
/**
On 9 Oct 2023, at 14:08, Daniel-Constantin Mierla via sr-dev sr-dev@lists.kamailio.org wrote:
corex: rpc command to print shm status report to file based on filter
How do we restrict this? I find it kind of scary that an external app can force kamailio to write to files in the file system.
- I want to be able to disable it in modparam - I want to be able to restrict the directory Kamailio can write in - I want to be able to restrict sizes
/O
The execution of rpc commands has to be protected/firewalled anyhow, there are commands that can kill kamailio or old commands that write to file (e.g, dlg.dump_file). Also, the rpc over fifo writes to a file the response. The rpc interface was designed to be used only by trusted apps, being them restricted by firewal or OS permissions.
For more flexibility in setting "I want to be able to ..." rules, of course contributions are more than welcome.
Cheers, Daniel
On 09.10.23 14:40, Olle E. Johansson via sr-dev wrote:
On 9 Oct 2023, at 14:08, Daniel-Constantin Mierla via sr-dev sr-dev@lists.kamailio.org wrote:
corex: rpc command to print shm status report to file based on filter
How do we restrict this? I find it kind of scary that an external app can force kamailio to write to files in the file system.
- I want to be able to disable it in modparam
- I want to be able to restrict the directory Kamailio can write in
- I want to be able to restrict sizes
/O
Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-leave@lists.kamailio.org
On 9 Oct 2023, at 15:45, Daniel-Constantin Mierla miconda@gmail.com wrote:
The execution of rpc commands has to be protected/firewalled anyhow, there are commands that can kill kamailio or old commands that write to file (e.g, dlg.dump_file). Also, the rpc over fifo writes to a file the response. The rpc interface was designed to be used only by trusted apps, being them restricted by firewal or OS permissions.
I tried to avoid opening the old can of worms, more question if it’s a good thing to continue down that path without protections. You are right, there are a lot of bad things one can do, so maybe we have to live with it. At some point maybe add a light level of authorization.
For more flexibility in setting "I want to be able to ..." rules, of course contributions are more than welcome.
As always!
…which is one of the reasons I’m dropping the ideas on the mailing list for everyone to consider… :-)
/O
Cheers, Daniel
On 09.10.23 14:40, Olle E. Johansson via sr-dev wrote:
On 9 Oct 2023, at 14:08, Daniel-Constantin Mierla via sr-dev sr-dev@lists.kamailio.org mailto:sr-dev@lists.kamailio.org wrote:
corex: rpc command to print shm status report to file based on filter
How do we restrict this? I find it kind of scary that an external app can force kamailio to write to files in the file system.
- I want to be able to disable it in modparam
- I want to be able to restrict the directory Kamailio can write in
- I want to be able to restrict sizes
/O
Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-leave@lists.kamailio.org mailto:sr-dev-leave@lists.kamailio.org
-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com
If you do jsonrpc over http/s (via xhttp module), then you have the ability to authenticate with digest, like a sip request. The you can also inspect the body of the http request using jannson and add further logic in the event route to forbid some commands and/or check the parameters with desired rules.
If rpc is used over fifo file/unix file sockets or bare udp/tcp sockets, then firewall/os permissions are the options for protection right now.
Cheers, Daniel
On 09.10.23 15:56, Olle E. Johansson wrote:
On 9 Oct 2023, at 15:45, Daniel-Constantin Mierla miconda@gmail.com wrote:
The execution of rpc commands has to be protected/firewalled anyhow, there are commands that can kill kamailio or old commands that write to file (e.g, dlg.dump_file). Also, the rpc over fifo writes to a file the response. The rpc interface was designed to be used only by trusted apps, being them restricted by firewal or OS permissions.
I tried to avoid opening the old can of worms, more question if it’s a good thing to continue down that path without protections. You are right, there are a lot of bad things one can do, so maybe we have to live with it. At some point maybe add a light level of authorization.
For more flexibility in setting "I want to be able to ..." rules, of course contributions are more than welcome.
As always!
…which is one of the reasons I’m dropping the ideas on the mailing list for everyone to consider… :-)
/O
Cheers, Daniel
On 09.10.23 14:40, Olle E. Johansson via sr-dev wrote:
On 9 Oct 2023, at 14:08, Daniel-Constantin Mierla via sr-dev sr-dev@lists.kamailio.org wrote:
corex: rpc command to print shm status report to file based on filter
How do we restrict this? I find it kind of scary that an external app can force kamailio to write to files in the file system.
- I want to be able to disable it in modparam
- I want to be able to restrict the directory Kamailio can write in
- I want to be able to restrict sizes
/O
Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-leave@lists.kamailio.org
-- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com
-
Daniel-Constantin Mierla -
Olle E. Johansson