[Asterisk-Users] Running as non-root user ( was: Vmail.cgi
Bahhh!!)
Kristian Kielhofner
kris at krisk.org
Wed Oct 20 10:08:59 MST 2004
Paul Dugas wrote:
> Being fairly retentive about security and a long time admin of Solaris and
> Linux machines, I find the default behaviour of * running as root
> troubling. Forgive the potential offense but I don't trust *anyone*
> (including myself unless I have to) with root access. If * is to become a
> product for the world of system admins to manage and monitor, it needs to
> have this problem addressed.
>
> It seems to me that given proper permissions in the installer for the
> files and devices (as Ryan suggested below), we may be able to achieve
> much of this rather painlessly. The TCP ports * listens on are all above
> 1024 I think so that's not an issue. What are the chances of seeing this
> in a 1.1 release?
>
> Paul
> "Retentive Boy"
>
Paul,
This is well documented in the wiki and elsewhere. You can run
asterisk as any user (preferably asterisk, obviously). All you really
need to do is change ASTVARRUNDIR=/var/run/asterisk in the Makefile,
recompile, change safe_asterisk (maybe /etc/init.d/asterisk) to use user
asterisk and group asterisk. Then find something to change all the
necessary permissions:
chown --recursive asterisk:asterisk /var/lib/asterisk
chown --recursive asterisk:asterisk /var/log/asterisk
chown --recursive asterisk:asterisk /var/run/asterisk
chown --recursive asterisk:asterisk /var/spool/asterisk
chown --recursive asterisk:asterisk /dev/zap
chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
chmod --recursive u=rwX,g=rX,o= /dev/zap
chown --recursive root:asterisk /etc/asterisk
chmod --recursive u=rwX,g=rX,o= /etc/asterisk
--
Kristian Kielhofner
More information about the asterisk-users
mailing list