[asterisk-users] asterisk as non-root/best practices

Robert McNaught asteriskator at gmail.com
Wed Nov 21 11:37:50 CST 2007 

Thanks Tzafrir, I took the stuff out of visudo - it turns out the only
way I could get this working was to create a symbolic link -
/usr/bin/asterisk to point to /home/asterisk .....asterisk  - using
the link created in /usr/sbin/ would not work for 'asterisk -r'

It seems that all commands in /usr/sbin/. were unexecutable by user
'asterisk' or 'admin' - I think that this is to do with the fact that
the sbin directory is only designed for root executable files.

What is your recommendation on having an admin user be able to edit
configs without using the same username as the asterisk daemon - would
you create a group 'asterisk' and have users 'admin' and 'asterisk' as
part of that group - If the system was compiled to run as asterisk,
then the owner for the config files are all stored in the
/home/asterisk/ subdirectory and are owned by 'asterisk'.

Can you offer any thoughts on that?

Cheers :-)

Robert

> > Hi,
> >
> > I have set up asterisk to run as non root, and allow admin users to log
> > in to the server as asterisk, which gives them privileges to edit
> > configs in the asterisk home directory.
>
> The daemon runs as the user asterisk. There is no reason why the admin
> should run as the user asterisk.
>
> >
> > As for connecting to the console with 'asterisk -r' - this by default
> > does not work as asterisk is owned stored in /usr/sbin/asterisk
> >
> > I am reading that the best way to solve this is to use 'visudo' - I
> > added this:-
> >
> > asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL
>
>
> This is totally unrequired. You just need to set proper permissions for
> the socket /var/run/asterisk/asterisk.ctl . This is done in
> asterisk.conf -
>
> [files]
> ;astctlpermissions = 0660
> ;astctlowner = root
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
>
> http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
>
> > asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL
>
> Why would Asterisk need to run safe_asterisk?
>
> With an arbitrary parameter?
>
> You may want to permit some administrator to do that, but not the
> asterisk daemon. This probably opens the door to priviliges escalations.
>
> --
>  Tzafrir Cohen

More information about the asterisk-users mailing list