Restrictions of FIFO-based Communications in Linux

Problem Definition

To explain this we will take OpenSIPS’s fifo as an example. It is used to communicate with OpenSIPS’s management interface “Mi”. Assume “/tmp/opensips_fifo” is the fifo file. OpenSIPS is the owner of this pipe and OpenSIPS-CP wants to access/read/write to/from the pipe. As we know everything is a file in Linux so this pipe is just a file and we want to manage how OpenSIPS-CP or other programs can access this pipe to send requests or receive reponses to/from OpenSIPS. OpenSIPS is executed by user=opensips and group=opensips. OpenSIPS-CP is executed by user=apache and group=apache. To see this:  # ps -aux | grep httpd or opensips.

fifo

And we have this error message “Cannot connect to OpenSIPS Server via Management Interface (/tmp/opensips_fifo)“. Be sure you are using the right name of the fifo file. Be aware if there is a space at the front or at the end of file path. Be sure that you are talking with the intended OpenSIPS server in case you have many OpenSIPS instances working on the same machine. Be sure the opensips is simply running (OpenSIPS restart may solve the problem). If all that is ok and still you have the error message then start your journey through this article.

Here i have Fedora 20, PHP 5.5.17 , Apache 2.4, OpenSIPS-CP 6.0 , OpenSIPS 1.11. Do the corresponding of everything in your system.

What to Do

Temporarily disable SeLinux. We will come back to it.

  • Discretionary Access Control (DAC): In OpenSIPS configuration file we have this line “modparam(“mi_fifo”, “fifo_mode”, 0666)”  so OpenSIPs create the fifo file with the permission 666 (Owner=6,Group=6, Others=6) which is “prw-rw-rw-“. This means read and write permission for the owner, group, and the others. The letter p means this file is pipe.
  • User:Group Ownership: OpenSIPS-CP executed by apache so add apache user to opensips group if you don’t want to give permissions to others. For this, you can use # system-config-users. To list the members in the group:

# lid -g $groupName

  • Access Control List (ACL): use ACL to give permissions to a specific user For example let Apache user has rw access to the fifo file:

# setfacl -m u:apache:rw /tmp/opensips_fifo

To check the list

# getfacl /tmp/opensips_fifo

Eiciel is GNOME tool to visually configure the ACL entries. # yum install eiciel and to run it  # eiciel the GUI will open. Choose the directory and start editing the acl. Visual ACL

  • Programming Language Restrictions: The programming language may apply some kind of restrictions on accessing files. Web programming language like PHP has safe_mode and open_basedir features. Open /etc/php.ini to disable these. For example file_exists() php function check whether the file or directory is exists or not. This Function return False due to safe_mode restrictions. When safe_mode is enabled (safe_mode = On in php.ini), PHP checks to see if the owner of the current php script matches the owner of the file to be operated on. Safe_mode is removed in PHP-5  but we have to keep programming language restrictions in our minds.
  • Web Server Restrictions: For example Apache web server protects directories and files from hosts/web clients by defining policy rules in httpd.conf.

Example 1: “Linux root is inaccessible by everyone”

<Directory />
AllowOverride none
Require all denied
</Directory>

The default is denying access to the entirety of your server’s file system. You must explicitly permit access to the server’s directories

Example 2: The area /var/www/opensips-cp/web can be accessed by everyone:

<Directory  /var/www/opensips-cp/web>

Options Indexes FollowSymLinks MultiViews

AllowOverride None
Require all granted

</Directory>

  • PrivateTmp Feature: This is new feature since Fedora 16 and Red Hat Enterprise Linux 7. “PrivateTmp” is an option in systemd unit configuration files.

PrivateTmp: “Takes a boolean argument. If true sets up a new file system namespace for the executed processes and mounts a private /tmp directory inside it, that is not shared by processes outside of the namespace. This is useful to secure access to temporary files of the process, but makes sharing between processes via /tmp impossible. Defaults to false.”

If the fifo file which is shared between two processes (apache and opensips) created in /tmp so you have to disable this feature. To disable it do the following:

# vim /usr/lib/systemd/system/httpd.service

Change the line PrivateTmp=true to PrivateTmp=false

# systemctl –system daemon-reload

# systemctl restart httpd.service

  • Umask

It could be helpful if you check the umask of the running process which accessing the file and the umask of the file. umask of the specific file can be changed by setfacl command and graphically by Eiciel . To change the  umask of running process, take the id of the process for example httpd # ps -ef |grep httpd.  Enter the gdp # gdp –pid=httpd-Process-Id. To change the umask to 0, type  call umask(0) in gdp console. The umask will be 0 and the command will give you the previous umask value.

  • SeLinux: SeLinux might prevent the access to the file (access, link, unlink,…. ). Selinux Troubleshooter can help you to know how to fix this. How to allow for example httpd process to access FIFO file. Keep your eyes on the SeLinux alerts and do what the troubleshooter suggests. The file “/var/log/audit/audit.log”  contain the alerts and what you did is this:

# grep httpd /var/log/audit/audit.log | audit2allow -M minpol
# semodule -i minpol.pp

If you go through all the points above you will be able to solve the problem .Remember if you make any changes in the configuration file, restart the service.

Where to Look to Trace the Error

Reading the log files is the key (basically here /var/log/*). Make some changes in the configuration somewhere, restart the corresponding service and re-read the log files again. Repeat this till you get no errors. Now  in our use case of opensips’s fifo we can see a list of available fifo commands in opensips-cp web interface. This means Apache (opensips-cp) and the opensips can communicates through the fifo file.

snap11

OpenSIPS-CP can request the dialog information from OpenSIPS through the fifo file. See the figures below of the early dialog and the confirmed dialog.

dialog1

dialog2


Below is a php client which try to connect to opensips fifo file and send commands. Copy the text and save it in opensips-cp/web/Fifotest.php and then call it from the browser /ipaddress/cp/Fifotest.php. Use it to test the fifo connection.

Source: FIFO Client PHP Example


Advertisements

One comment on “Restrictions of FIFO-based Communications in Linux

  1. Thank you very much, following your article through the PrivateTemp Feature was the cause of my problem. Setting the PrivateTemp flag to false in my httpd.service file saved me a lot of head scratching….Nice one.. Greg.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s