[Asterisk-Users] Asterisk & sudo from httpd
Tzafrir Cohen
tzafrir at technion.ac.il
Sun Sep 5 17:32:57 MST 2004
On Sun, Sep 05, 2004 at 11:52:13PM +0200, Roland Zagler wrote:
> Hello!
>
> I want to use "asterisk -rx "show version"" from a php script called in
> the browser using the local apache, which runs as user "apache".
> Asterisk is running as root.
>
> I added the following line to /etc/sudoers using visudo:
>
> apache ALL = NOPASSWD: /usr/sbin/asterisk
This should allow the user group known as "apache" to sudo to run the
command "/usr/sbin/asterisk" (without any additional parameters).
This is surely not what you want. Uless you want apache to be able to
initiate starting an extra asterisk (or a DoS attack?)
This is what you should put in sudoers:
apache localhost = NOPASSWD: /usr/sbin/asterisk -rx 'show version'
You should consider puting it in an external script if you feel that the
command is getting too complex.
And then you run it just as before, by executing "sudo
/usr/sbin/asterisk -rx 'show version'" by the user apache.
As for whether a direct tcp connection is better here: sorry: I have no
idea. One thing, though: if you are afraid of any local user that can
execute arbitrary code, that local user would be able to use the tcp
interface in much nicer ways, right?
--
Tzafrir Cohen +---------------------------+
http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend|
mailto:tzafrir at technion.ac.il +---------------------------+
More information about the asterisk-users
mailing list