<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.14.3">
</HEAD>
<BODY>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">thanks for the reply Tzafrir,</FONT><BR>
<BR>
<FONT COLOR="#000000">I tried the below, but I think maybe I misexplained what I am trying to do. I have asterisk running as user asterisk - I followed the instructions in the Asterisk book and have everything stored in /home/asterisk/asterisk-bin - this includes logs, pid files, configs etc etc</FONT><BR>
<BR>
<FONT COLOR="#000000">my asterisk.conf is </FONT><BR>
<BR>
<FONT COLOR="#000000">[directories]</FONT><BR>
<FONT COLOR="#000000">astetcdir => /home/asterisk/asterisk-bin/asterisk</FONT><BR>
<FONT COLOR="#000000">astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules</FONT><BR>
<FONT COLOR="#000000">astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk</FONT><BR>
<FONT COLOR="#000000">astdatadir => /home/asterisk/asterisk-bin/lib/asterisk</FONT><BR>
<FONT COLOR="#000000">astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin</FONT><BR>
<FONT COLOR="#000000">astspooldir => /home/asterisk/asterisk-bin/spool/asterisk</FONT><BR>
<FONT COLOR="#000000">astrundir => /home/asterisk/asterisk-bin/run</FONT><BR>
<FONT COLOR="#000000">astlogdir => /home/asterisk/asterisk-bin/log/asterisk</FONT><BR>
<BR>
<FONT COLOR="#000000">[options]</FONT><BR>
<FONT COLOR="#000000">;internal_timing = yes</FONT><BR>
<FONT COLOR="#000000">systemname = XXXXX ; prefix uniqueid with a system name for global uniqueness issues</FONT><BR>
<FONT COLOR="#000000">; Changing the following lines may compromise your security.</FONT><BR>
<FONT COLOR="#000000">;[files]</FONT><BR>
<FONT COLOR="#000000">;astctlpermissions = 0770</FONT><BR>
<FONT COLOR="#000000">astctlowner = asterisk</FONT><BR>
<FONT COLOR="#000000">astctlgroup = asterisk</FONT><BR>
<FONT COLOR="#000000">;astctl = asterisk.ctl</FONT><BR>
<BR>
<FONT COLOR="#000000">my problem is that a non-privileged user, eg admin, cannot log in and connect to the console by issuing the following</FONT><BR>
<BR>
<FONT COLOR="#000000">[admin@XXXX]$ asterisk -r</FONT><BR>
<FONT COLOR="#000000">bash: asterisk: command not found</FONT><BR>
<BR>
<FONT COLOR="#000000">[admin@XXXXX]$ whereis asterisk</FONT><BR>
<FONT COLOR="#000000">asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk /usr/include/asterisk.h /usr/share/man/man8/asterisk.8</FONT><BR>
<BR>
<FONT COLOR="#000000">what is the best way to solve this problem?</FONT><BR>
<BR>
<FONT COLOR="#000000">i have tried adding</FONT><BR>
<BR>
<FONT COLOR="#000000">admin ALL=(ALL) ALL - I will prune back once I verify I can get this working</FONT><BR>
<BR>
<FONT COLOR="#000000">into visudo, but even that returns asterisk:command not found</FONT><BR>
<BR>
<FONT COLOR="#000000">Does anyone out there know the best way around this - I tried adding in a symbolic link in /usr/bin/asterisk to point to the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but is a hack around the problem and don't believe this is the way</FONT><BR>
<BR>
<FONT COLOR="#000000">It seems that non-privileged users cannot run commands in sbin, but can in bin directories</FONT><BR>
<BR>
<FONT COLOR="#000000">Robert</FONT><BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:</FONT>
<FONT COLOR="#000000">> Hi,</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> I have set up asterisk to run as non root, and allow admin users to log</FONT>
<FONT COLOR="#000000">> in to the server as asterisk, which gives them privileges to edit</FONT>
<FONT COLOR="#000000">> configs in the asterisk home directory.</FONT>
<FONT COLOR="#000000">The daemon runs as the user asterisk. There is no reason why the admin</FONT>
<FONT COLOR="#000000">should run as the user asterisk.</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> As for connecting to the console with 'asterisk -r' - this by default</FONT>
<FONT COLOR="#000000">> does not work as asterisk is owned stored in /usr/sbin/asterisk</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> I am reading that the best way to solve this is to use 'visudo' - I</FONT>
<FONT COLOR="#000000">> added this:-</FONT>
<FONT COLOR="#000000">> </FONT>
<FONT COLOR="#000000">> asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL</FONT>
<FONT COLOR="#000000">This is totally unrequired. You just need to set proper permissions for</FONT>
<FONT COLOR="#000000">the socket /var/run/asterisk/asterisk.ctl . This is done in</FONT>
<FONT COLOR="#000000">asterisk.conf - </FONT>
<FONT COLOR="#000000">[files]</FONT>
<FONT COLOR="#000000">;astctlpermissions = 0660</FONT>
<FONT COLOR="#000000">;astctlowner = root</FONT>
<FONT COLOR="#000000">astctlgroup = asterisk</FONT>
<FONT COLOR="#000000">;astctl = asterisk.ctl</FONT>
<FONT COLOR="#000000"><A HREF="http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt">http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt</A></FONT>
<FONT COLOR="#000000">> asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL</FONT>
<FONT COLOR="#000000">Why would Asterisk need to run safe_asterisk?</FONT>
<FONT COLOR="#000000">With an arbitrary parameter?</FONT>
<FONT COLOR="#000000">You may want to permit some administrator to do that, but not the</FONT>
<FONT COLOR="#000000">asterisk daemon. This probably opens the door to priviliges escalations.</FONT>
<FONT COLOR="#000000">-- </FONT>
<FONT COLOR="#000000"> Tzafrir Cohen</FONT>
<FONT COLOR="#000000">icq#16849755 jabber:<A HREF="mailto:tzafrir.cohen@xorcom.com">tzafrir.cohen@xorcom.com</A></FONT>
<FONT COLOR="#000000">+972-50-7952406 <A HREF="mailto:tzafrir.cohen@xorcom.com">mailto:tzafrir.cohen@xorcom.com</A></FONT>
<FONT COLOR="#000000"><A HREF="http://www.xorcom.com">http://www.xorcom.com</A> iax:<A HREF="mailto:guest@local.xorcom.com">guest@local.xorcom.com</A>/tzafrir</FONT>
</PRE>
</BLOCKQUOTE>
</BLOCKQUOTE>
</BODY>
</HTML>