[asterisk-users] asterisk as non-root/best practices
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Mon Nov 19 11:14:51 CST 2007
On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:
> Hi,
>
> I have set up asterisk to run as non root, and allow admin users to log
> in to the server as asterisk, which gives them privileges to edit
> configs in the asterisk home directory.
The daemon runs as the user asterisk. There is no reason why the admin
should run as the user asterisk.
>
> As for connecting to the console with 'asterisk -r' - this by default
> does not work as asterisk is owned stored in /usr/sbin/asterisk
>
> I am reading that the best way to solve this is to use 'visudo' - I
> added this:-
>
> asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL
This is totally unrequired. You just need to set proper permissions for
the socket /var/run/asterisk/asterisk.ctl . This is done in
asterisk.conf -
[files]
;astctlpermissions = 0660
;astctlowner = root
astctlgroup = asterisk
;astctl = asterisk.ctl
http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL
Why would Asterisk need to run safe_asterisk?
With an arbitrary parameter?
You may want to permit some administrator to do that, but not the
asterisk daemon. This probably opens the door to priviliges escalations.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list