[asterisk-users] asterisk as non-root/best practices

Robert McNaught robert.mcnaught at gmail.com
Fri Nov 30 16:49:59 CST 2007

thanks for the reply Tzafrir,

I tried the below, but I think maybe I misexplained what I am trying to
do.  I have asterisk running as user asterisk - I followed the
instructions in the Asterisk book and have everything stored
in /home/asterisk/asterisk-bin - this includes logs, pid files, configs
etc etc

my asterisk.conf is 

astetcdir => /home/asterisk/asterisk-bin/asterisk
astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules
astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk
astdatadir => /home/asterisk/asterisk-bin/lib/asterisk
astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin
astspooldir => /home/asterisk/asterisk-bin/spool/asterisk
astrundir => /home/asterisk/asterisk-bin/run
astlogdir => /home/asterisk/asterisk-bin/log/asterisk

;internal_timing = yes
systemname = XXXXX ; prefix uniqueid with a system name for global
uniqueness issues
; Changing the following lines may compromise your security.
;astctlpermissions = 0770
astctlowner = asterisk
astctlgroup = asterisk
;astctl = asterisk.ctl

my problem is that a non-privileged user, eg admin, cannot log in and
connect to the console by issuing the following

[admin at XXXX]$ asterisk -r
bash: asterisk: command not found

[admin at XXXXX]$ whereis asterisk
asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk /usr/include/asterisk.h /usr/share/man/man8/asterisk.8

what is the best way to solve this problem?

i have tried adding

admin   ALL=(ALL)       ALL    - I will prune back once I verify I can
get this working

into visudo, but even that returns asterisk:command not found

Does anyone out there know the best way around this - I tried adding in
a symbolic link in /usr/bin/asterisk to point to
the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but is
a hack around the problem and don't believe this is the way

It seems that non-privileged users cannot run commands in sbin, but can
in bin directories


> On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:
> > Hi,
> > 
> > I have set up asterisk to run as non root, and allow admin users to log
> > in to the server as asterisk, which gives them privileges to edit
> > configs in the asterisk home directory.
> The daemon runs as the user asterisk. There is no reason why the admin
> should run as the user asterisk.
> > 
> > As for connecting to the console with 'asterisk -r' - this by default
> > does not work as asterisk is owned stored in /usr/sbin/asterisk
> > 
> > I am reading that the best way to solve this is to use 'visudo' - I
> > added this:-
> > 
> > asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL
> This is totally unrequired. You just need to set proper permissions for
> the socket /var/run/asterisk/asterisk.ctl . This is done in
> asterisk.conf - 
> [files]
> ;astctlpermissions = 0660
> ;astctlowner = root
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
> http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> > asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL
> Why would Asterisk need to run safe_asterisk?
> With an arbitrary parameter?
> You may want to permit some administrator to do that, but not the
> asterisk daemon. This probably opens the door to priviliges escalations.
> -- 
>                Tzafrir Cohen
> icq#16849755              jabber:tzafrir.cohen at xorcom.com
> +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071130/a25bbb92/attachment.htm 

More information about the asterisk-users mailing list