[asterisk-users] asterisk as non-root/best practices
Robert McNaught
robert.mcnaught at gmail.com
Fri Nov 30 16:59:23 CST 2007
> thanks for the reply Tzafrir,
>
> I tried the below, but I think maybe I misexplained what I am trying
> to do. I have asterisk running as user asterisk - I followed the
> instructions in the Asterisk book and have everything stored
> in /home/asterisk/asterisk-bin - this includes logs, pid files,
> configs etc etc
>
> my asterisk.conf is
>
> [directories]
> astetcdir => /home/asterisk/asterisk-bin/asterisk
> astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules
> astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk
> astdatadir => /home/asterisk/asterisk-bin/lib/asterisk
> astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin
> astspooldir => /home/asterisk/asterisk-bin/spool/asterisk
> astrundir => /home/asterisk/asterisk-bin/run
> astlogdir => /home/asterisk/asterisk-bin/log/asterisk
>
> [options]
> ;internal_timing = yes
> systemname = XXXXX ; prefix uniqueid with a system name for global
> uniqueness issues
> ; Changing the following lines may compromise your security.
> ;[files]
> ;astctlpermissions = 0770
> astctlowner = asterisk
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
>
> my problem is that a non-privileged user, eg admin, cannot log in and
> connect to the console by issuing the following
>
> [admin at XXXX]$ asterisk -r
> bash: asterisk: command not found
>
> [admin at XXXXX]$ whereis asterisk
> asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk /usr/include/asterisk.h /usr/share/man/man8/asterisk.8
>
> what is the best way to solve this problem?
>
> i have tried adding
>
> admin ALL=(ALL) ALL - I will prune back once I verify I can
> get this working
>
> into visudo, but even that returns asterisk:command not found
>
> Does anyone out there know the best way around this - I tried adding
> in a symbolic link in /usr/bin/asterisk to point to
> the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but
> is a hack around the problem and don't believe this is the way
>
> It seems that non-privileged users cannot run commands in sbin, but
> can in bin directories
>
> Robert
>
>
> >
> > On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:
> > > Hi,
> > >
> > > I have set up asterisk to run as non root, and allow admin users to log
> > > in to the server as asterisk, which gives them privileges to edit
> > > configs in the asterisk home directory.
> >
> > The daemon runs as the user asterisk. There is no reason why the admin
> > should run as the user asterisk.
> >
> > >
> > > As for connecting to the console with 'asterisk -r' - this by default
> > > does not work as asterisk is owned stored in /usr/sbin/asterisk
> > >
> > > I am reading that the best way to solve this is to use 'visudo' - I
> > > added this:-
> > >
> > > asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL
> >
> >
> > This is totally unrequired. You just need to set proper permissions for
> > the socket /var/run/asterisk/asterisk.ctl . This is done in
> > asterisk.conf -
> >
> > [files]
> > ;astctlpermissions = 0660
> > ;astctlowner = root
> > astctlgroup = asterisk
> > ;astctl = asterisk.ctl
> >
> > http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> >
> > > asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL
> >
> > Why would Asterisk need to run safe_asterisk?
> >
> > With an arbitrary parameter?
> >
> > You may want to permit some administrator to do that, but not the
> > asterisk daemon. This probably opens the door to priviliges escalations.
> >
> > --
> > Tzafrir Cohen
> > icq#16849755 jabber:tzafrir.cohen at xorcom.com
> > +972-50-7952406 mailto:tzafrir.cohen at xorcom.com
> > http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071130/ce839eca/attachment.htm
More information about the asterisk-users
mailing list