The File etc. Dahdi system conf is not owned by asterisk Just default Asterisk is configured to automatically function as origin, in other words, that the superuser. These pages are all about why it isn’t just a great thought and just how exactly to put this as much as behaving as a user.
Could Asterisk operate as a non-root?
Yes but it takes just a tiny tweaking.
Why can this be of use?
Therefore if Asterisk comes with a remote stability compromise, then this must not be utilized that software to shoot control the whole carton. Preferably the hack needs don’t even let monitoring of these config data files (potential for those who don’t edit them via the games console ).
I mounted Asterisk out of the distro bundle. Are any tweaks essential?
Debian offers (at the time of Sarge) and Ubuntu packs (at the least of 5 10 ( not sure) will function as non-root and won’t require some shifts.
FreeBSD vents operate as the origin. Maybe not confident about SuSE bundles, Fedora-Extra bundles, Mandrake-control bundles, DAG packs, or whatever else.
ATrpms Retailer: Installs as consumer asterisk, category =asterisk but may neglect to Get Start with the mistake, “not able to get /var/log/asterisk/messages.”
SELinux induces issues. To disable SELinux switch in /etc/SELinux/config SELINUX=empowered to handicapped or permissive
No-frills Guide to Asterisk 1.4. Decision (RedHat flavor) at 1 9 May 2008
/etc/init. D/asterisk halt
> Shutting down AsteriskAsterisk: okay
It’s preferable to specify an individual referred to as AsteriskAsterisk in category asterisk
if you don’t would like to produce more alterations to two data files, i.e. capital. rules, etc/init. d/asterisk
/usr/ bin / group add asterisk[+]
/ / usr/bin/user add -p /var/lib/asterisk -gram asterisk asterisk
P user adds a caution: that the directory exists.
> Perhaps Not copying any file from Skel directory to it.
Chown –recursive asterisk: asterisk asterisk / asterisk var/lib/asterisk
Chown –recursive AsteriskAsterisk: AsteriskAsterisk asterisk / asterisk dev/zap
If You’re conducting DAHDI operate another line of File etc. Dahdi system conf is not owned by AsteriskAsterisk
Chown –recursive AsteriskAsterisk: AsteriskAsterisk asterisk / asterisk dev/dahdi[+]
If You’re utilizing DAHDI operate another line[+]
Chown –recursive origin:asterisk / asterisk etc/asterisk[+]
Cp / / etc/asterisk/asterisk. Conf / / etc/asterisk/asterisk. conf.org
Transform the Next Line
astrundir => /var/run
astrundir =p & var/run/asterisk
Cp / / etc/init. D/asterisk / / etc/init. d/asterisk. org[+]
Chmod g+w / /etc/asterisk/voicemail. conf
Chmod g+w/ +t /etc/asterisk[+]
/etc/init. D/asterisk re-start[+]
Take advantage of one’s body’s favorite way of introducing a fresh brand consumer. Cases:
Be aware that the latest Debian bundles try this to you personally, for example, Chown and child.
Only take good care never to start AsteriskAsterisk as origin unwittingly without having’-U’.
This listing is currently useful for any range of temporary files. Asterisk should have the ability to compose those data files into a solution. The default option was var/run, which ought to exist on approaches, however, isn’t supply from the Asterisk consumer. Down the road (at Asterisk 1.6.1) the default option was a shift into var/run/asterisk. Lots of binary options have shifted it sooner.
To Look at the present built-in default:
Strings /usr/sbin/asterisk | grep / / var/run File etc dahdi system conf is not owned by asterisk
Additionally, observe that at Ubuntu (and other distributions) / / var/run is washed in a startup, and thus /var/run/asterisk has to be generated and Chown from the AsteriskAsterisk in its script.
Asterisk p = 1.4
Edit your Asterisk config document (/ / etc/asterisk/asterisk. conf):
; take away the (! ) ) To allow this
into[directories]; take away the (! ) ) To allow this particular – without even the (! ) ) Exactly enjoy the remark definitely says
Edit /usr/src/asterisk/ / Makefile and alter the Meaning of ASTVARRUNDIR such as that:
ASTVARRUNDIR=(INSTALL_PREFIX)/ / var/run/asterisk
Watch Compiling Asterisk for information of the Procedure.
Asterisk wants to write permission for those records and their contents:
The data files from the var/spool/asterisk/incoming directory have to become possessed by the asterisk consumer in addition to writable. Writable due to the fact asterisk appends traces to signify re try standing. The owner, therefore, it may place the time. Covered beneath.
Chown –recursive asterisk: asterisk asterisk / asterisk var/lib/asterisk
Additionally, Make note That if You’re operating Udev in your system (Linux-2.6), then the dev Listing Is densely populated with apparatus nodes, so meaning any permissions you put on dev/zap is going to soon be lost in the following reboot. Also, you might receive yourself a dreadful message as”Asterisk ended with exit status inch” when seeking to start AsteriskAsterisk. Study the document /path/to/ Zaptel-src-1.2. x/README. Udev for directions on just how exactly to alter your user/group delegated into dev/zap. Chown –recursive origin:asterisk / asterisk etc/asterisk. You may also look at that the permissions of their VoIP CGI files/directory. Additional data files and apparatus also can need to get a substitute base upon your specific installation.
e.g.. In the Event You utilize chan_oss:
When conducting chan_capi to get ISDN apparatus:
/ / dev/capi20
Your supply’s variant of capitals needs to install this correctly, see outside for host card init/setup scripts that populate the supply defaults. Watch devcapi20 Eicon permissions to get a suggested issue remedy for Ubuntu/Debian techniques.
If utilizing the Sirrix cards –
If utilizing chan_alsa:
Chown –recursive asterisk / asterisk dev/snd
SUID origin executables
In case you are utilizing Music On Hold using mpg123, then you’ll Probably Have to place the suid bit about the executable such as that:
Chmod u+s usr/local/bin/ / mpg123
This permits mpg123 to conduct as origin even though Asterisk is functioning since being a non-root consumer. This is mandatory for mpg123 to get the job done nicely beneath Asterisk.
Yet remember that mpg123 has any understood security problems. Tend not to utilize it to engage in random data out of the internet.
It is employing mpg123 because SUID origin causes it more insecure. Due to Asterisk 1.2, it’s just needed for distant streaming websites.
Starting up Asterisk
Starting up, AsteriskAsterisk is coated everywhere. But as soon as You’ve Completed the Adjustments above, you can Make Certain asterisk works as consumer asterisk and set AsteriskAsterisk by devoting this command on your startup programs:
Issues getting hired to do the job?
Just as root execute this control:
Alter the possession and permissions of these offenders and take to File etc. Dahdi system conf is not owned by AsteriskAsterisk yet again.
In the EventEvent you employ the solution -de (real-time concern ) into Asterisk, Asterisk has to be implemented as the origin. If it afterward drops the origin privileges. (utilizing -U). So you shouldn’t
Utilize’su asterisk’ to conduct safe_asterisk. Whoever who uses safe_asterisk using -de, make sure you mend this.
Additionally, just take good care never to conduct Asterisk devoid of -U asterisk. You may well be enticed to get this done for debugging. The Debian Offer (at Xorcom Speedy as Well as at present Etch ) includes /etc/init. D/AsteriskAsterisk debug for it.