[Asterisk-Users] Web Voicemail Permissions
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Mon Oct 6 23:37:52 MST 2003
On Tuesday 07 October 2003 01:23, Olle E. Johansson wrote:
> Tilghman Lesher wrote:
> > On Monday 06 October 2003 05:13 pm, Carlton J. O'Riley wrote:
> >>Are there any plans to incorporate the running of Asterisk as a
> >>non-root user into the current CVS? There is nothing in Asterisk
> >>that requires root access as far as I know and this would solve the
> >>vmail.cgi script permissions problem.
> >
> > Here's a reason why it might need to run as root:
> > bash# ls -l /dev/zap/ctl
> > crw-r--r-- 1 root root 196, 0 Oct 6 13:15
> > /dev/zap/ctl
>
> We need to open some ports for listening as root, but after that we
> can change user ID the way other daemons do.
None of the ports are below 1024, so root access is not needed to bind
them.
> Tilghman, can we handle this ctl device as another user after we
> opened it?
Check with Mark. Also, note that there's no guarantee that some kernel
developer might think this is a bad idea (read: security hole) and
disallow it in some future version.
> I agree that it would be good to have Asterisk running with another
> user ID.
If you're that concerned about it, why not use the NSA kernel with ACLs?
It would probably be even better served if you worked to secure the
entire execution environment (e.g. chroot, ACLs, etc.) instead of just
changing the uid.
-Tilghman
More information about the asterisk-users
mailing list