[asterisk-users] asterisk as non-root/best practices

Kristian Kielhofner kristian.kielhofner at gmail.com
Wed Nov 21 12:53:58 CST 2007 

On Nov 21, 2007 12:37 PM, Robert McNaught <asteriskator at gmail.com> wrote:
> Thanks Tzafrir, I took the stuff out of visudo - it turns out the only
> way I could get this working was to create a symbolic link -
> /usr/bin/asterisk to point to /home/asterisk .....asterisk  - using
> the link created in /usr/sbin/ would not work for 'asterisk -r'
>
> It seems that all commands in /usr/sbin/. were unexecutable by user
> 'asterisk' or 'admin' - I think that this is to do with the fact that
> the sbin directory is only designed for root executable files.
>
> What is your recommendation on having an admin user be able to edit
> configs without using the same username as the asterisk daemon - would
> you create a group 'asterisk' and have users 'admin' and 'asterisk' as
> part of that group - If the system was compiled to run as asterisk,
> then the owner for the config files are all stored in the
> /home/asterisk/ subdirectory and are owned by 'asterisk'.
>
> Can you offer any thoughts on that?
>
> Cheers :-)
>
> Robert
>

Robert,

  I don't see why a symlink is necessary...  Try something like this:

(as root)
chown -R asterisk:asterisk /etc/asterisk
chmod -R 770 /etc/asterisk
usermod -G admin,asterisk admin

  Verify your /var/run/asterisk socket permissions as suggested by Tzafrir.

  The admin user should now be able to connect to the running asterisk
socket and change the config files.  Or, you could make /etc/asterisk
mode 640, owned by admin:asterisk.  Note because of the PATH for your
admin user you will have to specify the full pathname to asterisk
(usually /usr/sbin/asterisk).

  As far as permissions, you could add "admin" to the asterisk group
and make sure your files are 660 (dirs 770).

  The various "sbin" paths are readable by all users, they just aren't
in the PATH.  Try this from your shell:

as user:

echo $PATH

as root:

echo $PATH

  Notice how the "sbin"s are included while you are root but not while
you are a user?  That's because most of those binaries can't be used
(at least not completely) by users other than root.  Some distros that
are setup for sudo (like Ubuntu) include "sbin" in most paths and
expect you to use sudo.  Please note the PATH variable in your shell
is R/W and you can set it yourself.

-- 
Kristian Kielhofner

More information about the asterisk-users mailing list