Feature #67
Investigate methods to eliminate requirment for http authenitcation
| Status: | Rejected | Start: | 05/11/2009 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
Continue investigation of ways to use .htaccess and Apache directory access to eliminate the need for the module to authenticate (on platforms that use Apache security for the modules). Security models to be considered are PBXIAF, Fonica PABX, and TrixBOX CE.
History
Updated by tshif over 2 years ago
This info was provided by Joe Roper in ticket: #56 Note 3
Here is just a quick outline of how PBX in a flash works in as far as htaccess security is concerned.
any file named .htaccess is completely ignored in PiaF, as the httpd.conf file is not set up to honour any .htaccess files.
Security to the freepbx directory, (admin) and the maint directory is handled by directory access in /etc/pbx/httpdconf/pbx.conf
However, some people have enabled .htaccess to be honoured in order to prevent directory listing of the /var/www/html/admin/modules directory, as the FreePBX developers intended, and therefore any .htaccess files in the system will be honoured, including the one erroneously put in the /admin directory by update-scripts, which prevents access to the entire admin directory, and if .htaccess is enabled, this would have to be deleted to get FreePBX to work again.
FonicaPABX/Foncordiax is a different setup, as we have enabled webserver mode for FreePBX, and used mod_auth_mysql to handle the security with .htaccess. This brings back the ACL functionality in the administrators screen, but also ensures that Apache handles the security of the system, rather than FreePBX, which has not been tested to the same degree as Apache in terms of security.
This explains to some degree the problems encountered by http://www.pbxinaflash.com/forum/showthread.php?t=4387 post 25.
So to summarise, any .htaccess files can be put into the web directories in PiaF, but will be ignored in a standard installation. This is good for modules, as the FonicaPABX system can have it's htaccess files in place in the modules without screwing up PiaF, unless someone has changed something.
I'm not fully familiar with superfecta, nor have I looked at the code, but Tony has explained the issue as Asterisk needs to get access to the php file, but cannot, because directory security gets in the way.
A possible solution to this would be to place the files required in /var/lib/asterisk/bin with the other php files and scripts used by FreePBX. I believe that this directory is accessible via the module installer.
Any questions, please let me know.
Joe
Updated by nerduno over 2 years ago
tshif wrote:
However, some people have enabled .htaccess to be honoured in order to prevent directory listing of the /var/www/html/admin/modules directory, as the FreePBX developers intended, and therefore any .htaccess files in the system will be honoured, including the one erroneously put in the /admin directory by update-scripts, which prevents access to the entire admin directory, and if .htaccess is enabled, this would have to be deleted to get FreePBX to work again.
You don't have to enable .htaccess to block directory listing of /admin/modules in PBX in a Flash. The entire /admin and /maint trees are restricted by the /etc/pbx/httpdconf/pbx.conf setup for Apache:
#Password proctect /var/www/html/admin
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Restricted Admin Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user wwwadmin maint
</Directory>
#Password protect /var/www/html/panel
<Directory /var/www/html/panel>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user wwwadmin maint
</Directory>
#Password protect /var/www/html/maint
<Directory /var/www/html/maint>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user maint
</Directory>
#Password protect /var/www/html/meetme
<Directory /var/www/html/meetme>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user wwwadmin maint meetme
</Directory>
Updated by nerduno over 2 years ago
P.S. The .htaccess file in admin was on purpose. It serves as a red flag to anyone who has screwed around with Apache privileges on a PBX in a Flash system. They find out quickly when they no longer can access FreePBX. :-)
Updated by tshif over 2 years ago
nerduno wrote:
tshif wrote:
However, some people have enabled .htaccess to be honoured in order to prevent directory listing of the /var/www/html/admin/modules directory, as the FreePBX developers intended, and therefore any .htaccess files in the system will be honoured, including the one erroneously put in the /admin directory by update-scripts, which prevents access to the entire admin directory, and if .htaccess is enabled, this would have to be deleted to get FreePBX to work again.
Wait - I didn't write that - I have no informational basis on which to form those statements.
Updated by nerduno over 2 years ago
Wasn't blaming, just quoting (albeit improperly). Sorry. Just wanted everyone to know how PIAF security really worked. :-)
Updated by tshif over 2 years ago
No problem! I just don't want you making me sound way smarter than I am - heheheh!
Updated by tshif over 2 years ago
- Target version changed from Caller ID Superfecta v 2.1.0 to Caller ID Superfecta - Future Versions
Updated by tshif over 2 years ago
- Status changed from New to Rejected
This really isnt being complained about, nor causing problems for anyone - Im setting it to rejected.
Updated by tshif over 2 years ago
- Target version deleted (
Caller ID Superfecta - Future Versions)