<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.14.3">
</HEAD>
<BODY>
thanks for the reply Tzafrir,<BR>
<BR>
I tried the below, but I think maybe I misexplained what I am trying to do. I have asterisk running as user asterisk - I followed the instructions in the Asterisk book and have everything stored in /home/asterisk/asterisk-bin - this includes logs, pid files, configs etc etc<BR>
<BR>
my asterisk.conf is <BR>
<BR>
[directories]<BR>
astetcdir => /home/asterisk/asterisk-bin/asterisk<BR>
astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules<BR>
astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk<BR>
astdatadir => /home/asterisk/asterisk-bin/lib/asterisk<BR>
astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin<BR>
astspooldir => /home/asterisk/asterisk-bin/spool/asterisk<BR>
astrundir => /home/asterisk/asterisk-bin/run<BR>
astlogdir => /home/asterisk/asterisk-bin/log/asterisk<BR>
<BR>
[options]<BR>
;internal_timing = yes<BR>
systemname = XXXXX ; prefix uniqueid with a system name for global uniqueness issues<BR>
; Changing the following lines may compromise your security.<BR>
;[files]<BR>
;astctlpermissions = 0770<BR>
astctlowner = asterisk<BR>
astctlgroup = asterisk<BR>
;astctl = asterisk.ctl<BR>
<BR>
my problem is that a non-privileged user, eg admin, cannot log in and connect to the console by issuing the following<BR>
<BR>
[admin@XXXX]$ asterisk -r<BR>
bash: asterisk: command not found<BR>
<BR>
[admin@XXXXX]$ whereis asterisk<BR>
asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk /usr/include/asterisk.h /usr/share/man/man8/asterisk.8<BR>
<BR>
what is the best way to solve this problem?<BR>
<BR>
i have tried adding<BR>
<BR>
admin ALL=(ALL) ALL - I will prune back once I verify I can get this working<BR>
<BR>
into visudo, but even that returns asterisk:command not found<BR>
<BR>
Does anyone out there know the best way around this - I tried adding in a symbolic link in /usr/bin/asterisk to point to the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but is a hack around the problem and don't believe this is the way<BR>
<BR>
It seems that non-privileged users cannot run commands in sbin, but can in bin directories<BR>
<BR>
Robert<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:</FONT>
<FONT COLOR="#000000">> Hi,</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> I have set up asterisk to run as non root, and allow admin users to log</FONT>
<FONT COLOR="#000000">> in to the server as asterisk, which gives them privileges to edit</FONT>
<FONT COLOR="#000000">> configs in the asterisk home directory.</FONT>
<FONT COLOR="#000000">The daemon runs as the user asterisk. There is no reason why the admin</FONT>
<FONT COLOR="#000000">should run as the user asterisk.</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> As for connecting to the console with 'asterisk -r' - this by default</FONT>
<FONT COLOR="#000000">> does not work as asterisk is owned stored in /usr/sbin/asterisk</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> I am reading that the best way to solve this is to use 'visudo' - I</FONT>
<FONT COLOR="#000000">> added this:-</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL</FONT>
<FONT COLOR="#000000">This is totally unrequired. You just need to set proper permissions for</FONT>
<FONT COLOR="#000000">the socket /var/run/asterisk/asterisk.ctl . This is done in</FONT>
<FONT COLOR="#000000">asterisk.conf - </FONT>
<FONT COLOR="#000000">[files]</FONT>
<FONT COLOR="#000000">;astctlpermissions = 0660</FONT>
<FONT COLOR="#000000">;astctlowner = root</FONT>
<FONT COLOR="#000000">astctlgroup = asterisk</FONT>
<FONT COLOR="#000000">;astctl = asterisk.ctl</FONT>
<FONT COLOR="#000000"><A HREF="http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt">http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt</A></FONT>
<FONT COLOR="#000000">> asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL</FONT>
<FONT COLOR="#000000">Why would Asterisk need to run safe_asterisk?</FONT>
<FONT COLOR="#000000">With an arbitrary parameter?</FONT>
<FONT COLOR="#000000">You may want to permit some administrator to do that, but not the</FONT>
<FONT COLOR="#000000">asterisk daemon. This probably opens the door to priviliges escalations.</FONT>
<FONT COLOR="#000000">-- </FONT>
<FONT COLOR="#000000"> Tzafrir Cohen</FONT>
<FONT COLOR="#000000">icq#16849755 jabber:<A HREF="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</A></FONT>
<FONT COLOR="#000000">+972-50-7952406 <A HREF="mailto:tzafrir.cohen@xorcom.com">mailto:tzafrir.cohen@xorcom.com</A></FONT>
<FONT COLOR="#000000"><A HREF="http://www.xorcom.com">http://www.xorcom.com</A> iax:<A HREF="mailto:guest@local.xorcom.com">guest@local.xorcom.com</A>/tzafrir</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>