[Asterisk-Users] Running as non-root user ( was: Vmail.cgi Bahhh!!)

Justin justin at vergeworks.com
Wed Oct 20 10:36:17 MST 2004 

Hi Kristian,

It is great that this documentation is out there, and that *
supports this. However I think in an ideal world this would be inherently 
supported by * and ideally setup via config file like with apache:

User www
Group www

Or some other equivalent method. My problem with the existing approach is 
that when things change I have to remember to modify my Makefile, and 
figure out what newly added files/directories need permission changes.

That being said I'm no professional sysadmin so maybe I'm missing the 
boat here.

- Justin

On Wed, 20 Oct 2004, Kristian Kielhofner wrote:

> Paul Dugas wrote:
> > Being fairly retentive about security and a long time admin of Solaris and
> > Linux machines, I find the default behaviour of * running as root
> > troubling.  Forgive the potential offense but I don't trust *anyone*
> > (including myself unless I have to) with root access.  If * is to become a
> > product for the world of system admins to manage and monitor, it needs to
> > have this problem addressed.
> > 
> > It seems to me that given proper permissions in the installer for the
> > files and devices (as Ryan suggested below), we may be able to achieve
> > much of this rather painlessly.  The TCP ports * listens on are all above
> > 1024 I think so that's not an issue.  What are the chances of seeing this
> > in a 1.1 release?
> > 
> > Paul
> > "Retentive Boy"
> > 
> 
> Paul,
> 
> 	This is well documented in the wiki and elsewhere.  You can run 
> asterisk as any user (preferably asterisk, obviously).  All you really 
> need to do is change ASTVARRUNDIR=/var/run/asterisk in the Makefile, 
> recompile, change safe_asterisk (maybe /etc/init.d/asterisk) to use user 
> asterisk and group asterisk.  Then find something to change all the 
> necessary permissions:
> 
> chown --recursive asterisk:asterisk /var/lib/asterisk
> chown --recursive asterisk:asterisk /var/log/asterisk
> chown --recursive asterisk:asterisk /var/run/asterisk
> chown --recursive asterisk:asterisk /var/spool/asterisk
> chown --recursive asterisk:asterisk /dev/zap
> chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
> chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
> chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
> chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
> chmod --recursive u=rwX,g=rX,o= /dev/zap
> 
> chown --recursive root:asterisk /etc/asterisk
> chmod --recursive u=rwX,g=rX,o= /etc/asterisk
> 
> --
> Kristian Kielhofner
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list