28 Apr
2004
28 Apr
'04
3:54 a.m.
That's exactly what I'm asking on the other mail. Since the introduction of
daemonize() function, the fifo file is always own by root even I instruct
SER to run as say 'ser'. The problem lies on the do_suid() sequence in the
main.c file.
To me, if we change uid and/or group id to a less privileged user, the fifo
file should be created under the new user's permission as well. Here is what
I've changed to suit my environment. See the sequence of the ------> line.
---- Before ----
/* intialize fifo server -- we need to open the fifo before
* do_suid() and start the fifo server after all the socket
* are initialized, to inherit them*/
if (init_fifo_server()<0) {
LOG(L_ERR, "initializing fifo server failed\n");
goto error;
}
/* Initialize Unix domain socket server */
if (init_unixsock_socket()<0) {
LOG(L_ERR, "Error while creating unix domain
sockets\n");
goto error;
}
--------> if (do_suid()==-1) goto error; /* try to drop priviledges */
/* process_no now initialized to zero -- increase from now
on
as new processes are forked (while skipping 0 reserved
for main
*/
---- After ----
--------> if (do_suid()==-1) goto error; /* try to drop priviledges */
/* intialize fifo server -- we need to open the fifo before
* do_suid() and start the fifo server after all the socket
* are initialized, to inherit them*/
if (init_fifo_server()<0) {
LOG(L_ERR, "initializing fifo server failed\n");
goto error;
}
/* Initialize Unix domain socket server */
if (init_unixsock_socket()<0) {
LOG(L_ERR, "Error while creating unix domain
sockets\n");
goto error;
}
----
Sorry, I do not know how to do that 'cvs diff' kind of thing. So, the cum's
bit above. Not sure whether the CVS source will be changed either. There
must be a reason the author do it that way. In my opinion, no offence, it's
a bug but I'm open to discussion.
Zeus
-----Original Message-----
From: serusers-bounces(a)lists.iptel.org
[mailto:serusers-bounces@lists.iptel.org] On Behalf Of Klaus Darilion
Sent: Wednesday, 28 April 2004 5:40 AM
To: John LI
Cc: Jiri Kuthan; Serusers; John LI
Subject: [Serusers] Re: serweb issu
That's not all - because next time you restart ser, ser will set the
permissions again to 660 and apache can't write to the fifo.
So, try to solve it as I said.
I created a user ser and a group ser.
I'm starting ser with:
ser -g ser
Furthermore I added the apache user to the group 'ser'
This allows apache to write to the fifo without changing the
permissions
of the fifo.
This works fine for me with ser 0.8.12 stable. recently there
were some
changes to the fifo and user/group switching in unstable ser. So, I
don't know if this also works with unstable ser.
regards
klaus
John LI wrote:
(heartbeat)
to achieve
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi Klaus,
That is great!
I have change the /tmp/ser_fifo's mode to a+w, and the the warning
disapeared. and seemed everything working fine.
Thanks so much for your help
John
----- Original Message -----
From: "Klaus Darilion" <klaus.mailinglists(a)pernau.at>
To: "John LI" <john(a)signalphone.com>
Cc: "John LI" <john(a)signalc.com>om>; "Serusers"
<serusers(a)lists.iptel.org>rg>; "Jiri
Kuthan" <jiri(a)iptel.org>
Sent: Tuesday, April 27, 2004 11:30 AM
Subject: Re: serweb issu
>you can change the problem by giving rw access to /tmp/ser_fifo for
>everybody. But this of course is a security risk if there are other
>useres which have access to the server.
>
>You can overcome this by changing the userid and groupid of
ser after
>startup /usr/local/sbin/ser -h
>should give you the hints how to set user and group id.
>
>Then put apache and the ser user into the same group, then
apache can
write to
the fifo.
klaus
John LI wrote:
>Hi Jiri and Klaus,
>
>I installed the serweb, and when log in to user accout, get the
>warning:
>
>Warning: fopen(/tmp/ser_fifo): failed to open stream: Permission
>denied
in
>/var/www/html/serweb_2004-01-04/html/functions.php on line 206
>
>
>I am runing ser using the root, and I wonder how can I resolve this
problem?
>what ownership should I assign to the
/tmp/ser_fifo?
>
>Thanks
>
>John
>
>
>----- Original Message -----
>From: "Jiri Kuthan" <jiri(a)iptel.org>
>To: "Klaus Darilion" <klaus.mailinglists(a)pernau.at>at>; "John
LI"
><john(a)signalc.com>c.com>; "Serusers" <serusers(a)lists.iptel.org>
>Sent: Saturday, March 27, 2004 5:46 PM
>Subject: Re: [Serusers] The problem when enable the MySql
>
>
>
>
>>At 01:29 AM 3/28/2004, Klaus Darilion wrote:
>>
>>
>>>What do you mean by "tools"? For symmetric NATs, the proxy that
>>>sends
the
>request to the UA must have the same IP
address as the proxy that
received
>>the REGISTER request - so I thought of using IP takeover >is
the
>only way (except UAs which can register at
multiple proxies). Is
>there
any
>>other way to solve this problem?
>>
>>
>>>no, you need to take-over IP. There are different tools
>>so,
>
>hearbeat one
>
>
>>of them, VRRP another one and potentialy some more.
>>
>>-jiri
>>
>>
>
>
>