search

OpenSIPS / opensips-cli

OpenSIPS CLI tool - an interactive command line tool that can be used to control and monitor OpenSIPS servers.
GNU General Public License v3.0
84 stars 46 forks source link

permission denied to /tmp/opensips_fifo #83

Closed robdyck closed 3 years ago

robdyck commented 3 years ago

When opensips is configured to use a fifo as the MI interface opensips-cli fails because it cannot open the fifo.

  File "/usr/local/lib/python3.9/site-packages/opensipscli-0.1.0-py3.9.egg/opensipscli/communication/fifo.py", line 60, in execute
    with open(opensips_fifo, 'w') as fifo:
PermissionError: [Errno 13] Permission denied: '/tmp/opensips_fifo'

This failure occurs for a root user and for a user with opensips group permission. Fifo owner is opensips. A workaround is required to make opensips-cli work.

workaround:1 Run both opensips and opensips-cli as root. Unsatisfactory.

workaround:2 sysctl -w fs.protected_fifos=0 Not ideal, you need to remember to set it back when you are done with opensips-cli

workaround;3 As root su opensips ( opensips without password but with shell) Not too bad but results in an error when quitting opensips-cli

bash-5.0$ opensips-cli
Welcome to OpenSIPS Command Line Interface!
(opensips-cli): quit
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
  File "/usr/lib64/python3.9/os.py", line 225, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/home/opensips'

Ideally a user with opensips group permission should be able start opensips-cli without using a workaround.

For further reference to fifo permission see this commit. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5

razvancrainea commented 3 years ago

Thanks for the detailed report! We are aware of this bug and looking for a fix, most likely by changing the default file path of the fifo file. I'll try to push a fix for this asap and let you know when it is completed.

luminblade commented 3 years ago

another workaround, set the fifo file permissions in the script...

modparam("mi_fifo", "fifo_mode", 0666)

robdyck commented 3 years ago

It doesn't work as long as sysctl fs.protected_fifos = 1 which it should be. It's a fifo ownership thing. See the referenced commit. I suppose one ccould justify turning the protection off in some circumstances. Probably some distros like mine default to on.

razvancrainea commented 3 years ago

@robdyck starting with linux kernel 4.19 this is the default behavior - to default writing in a fifo file if stored in a sticky bit directory and you're trying to access it using a different user. I've added this in OpenSIPS' documentation. The right fix for this issue is to move the fifo file in a place where both opensips and opensips-cli have access. Alternatively, opensips-cli should run with the same user as opensips - I'm investigating this to see what is the best option we have now.

razvancrainea commented 3 years ago

This has been fixed in both CLI and OpenSIPS default paths for debs and rpm. Also added suggestions in documentation and cli itself - the rest is on the users's plate :). Thanks for reporting and providing detailed information!