Asterisk non-root

By default Asterisk is configured to run as root, that is, the superuser. This page is about why it is not a good idea and how to set it up to run as a different user.

Summary

Can Asterisk run as non-root?

Yes, but it requires a little tweaking.

Why would this be useful?

So that if Asterisk has a remote security compromise, this cannot be used to take over the entire box. Ideally the compromise shouldn't even allow editing of the config files (possible if you don't edit them on-the-fly via the console).

Distro Packages

I installed Asterisk from a distro package. Any tweaks necessary?

Debian packages (as of Sarge) and Ubuntu packages (at least as of 5-10, not sure) will refuse to run as non-root and won't need any changes.
FreeBSD ports run as root. Not sure about SuSE packages, Fedora-Extra packages, Mandrake-contrib packages, DAG packages or anything else.
Fedora - ATrpms repo : Installs as user=asterisk, group=asterisk but will fail to start with the error, "unable to access /var/log/asterisk/messages"

SELinux causes problems. To disable selinux change in /etc/selinux/config SELINUX=enabled to disabled or permissive

Quick Start

No-frills Guide for Asterisk 1.4.* (RedHat flavour) as of 19 May 2008

/etc/init.d/asterisk stop
  1. > Shutting down asterisk: OK
  2. ----------------------------------------------------
  3. It is safer to define a user called asterisk in group asterisk
  4. unless you want to make more changes to 2 files i.e. zaptel.rules and /etc/init.d/asterisk
/usr/sbin/groupadd asterisk

[+]/usr/sbin/useradd -d /var/lib/asterisk -g asterisk asterisk
  1. > useradd: warning: the home directory already exists.
  2. > Not copying any file from skel directory into it.
  3. ----------------------------------------------------
chown --recursive asterisk:asterisk /var/lib/asterisk
chown --recursive asterisk:asterisk /var/log/asterisk
chown --recursive asterisk:asterisk /var/run/asterisk
chown --recursive asterisk:asterisk /var/spool/asterisk
chown --recursive asterisk:asterisk /usr/lib/asterisk
    1. If you are using Zaptel run the next line
chown --recursive asterisk:asterisk /dev/zap
    1. If you are running DAHDI run the next line
chown --recursive asterisk:asterisk /dev/dahdi

[+]chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk
    1. If you are using Zaptel run the next line
chmod --recursive u=rwX,g=rX,o= /dev/zap
    1. If you are using DAHDI run the next line
chmod --recursive u=rwX,g=rX,o= /dev/dahdi

[+]chown --recursive root:asterisk /etc/asterisk
chmod --recursive u=rwX,g=rX,o= /etc/asterisk

[+]cp /etc/asterisk/asterisk.conf /etc/asterisk/asterisk.conf.org
vi /etc/asterisk/asterisk.conf
  1. Change the following line from:
  2. astrundir => /var/run
  3. to
  4. astrundir => /var/run/asterisk
  5. ----------------------------------------------------
cp /etc/init.d/asterisk /etc/init.d/asterisk.org

[+]vi /etc/init.d/asterisk
  1. Change the following line from:
  2. #AST_USER="asterisk"
  3. #AST_GROUP="asterisk"
  4. to
  5. AST_USER="asterisk"
  6. AST_GROUP="asterisk"
  7. ----------------------------------------------------
  8. Asterisk needs to write to voicemail.conf for password change.
chmod g+w /etc/asterisk/voicemail.conf
chmod g+w,+t /etc/asterisk

[+]/etc/init.d/asterisk restart

[+]asterisk -U asterisk -G asterisk

[+]



User Account

Use your system's preferred method of adding a new user. Examples:
  • Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk
  • Debian: adduser --system --group --home /var/lib/asterisk --no-create-home --gecos "Asterisk PBX" asterisk
  • Debian: adduser asterisk dialout
  • Debian: adduser asterisk audio

Note that recent debian packages do this for you, including chown and chmod.
Just take care not to start asterisk as root accidentally without '-U' .

Run Directory

This directory is used for a number of small temporary files. Asterisk must be able to write those files. The default used to be /var/run , which should exist on systems, but is not writable by the Asterisk user. Later on (in Asterisk 1.6.1) the default was changed to /var/run/asterisk . A number of binary distributions have changed it earlier.

To check the current built-in default:

strings /usr/sbin/asterisk | grep /var/run

Also note that in Ubuntu (and maybe other distributions) /var/run is cleaned at startup and hence /var/run/asterisk needs to be created and chowned in the asterisk init script.

Asterisk >= 1.4

Edit your Asterisk config file (/etc/asterisk/asterisk.conf):
[directories](!) ; remove the (!) to enable this
to
[directories] ; remove the (!) to enable this — without the (!) just like the comment clearly states

and

astrundir => /var/run/asterisk

Asterisk <=1.2

Edit /usr/src/asterisk/Makefile and change the definition of ASTVARRUNDIR like this:

ASTVARRUNDIR=$(INSTALL_PREFIX)/var/run/asterisk

Recompile and reinstall Asterisk. See Compiling Asterisk for details of this process.


Permissions

Asterisk needs write permission for these directories and their contents:
  • /var/lib/asterisk
  • /var/log/asterisk
  • /var/run/asterisk
  • /var/spool/asterisk
  • /usr/lib/asterisk
  • /dev/zap/* (Though better done through udev rules for Zaptel. See the Zaptel README.)

The files in the /var/spool/asterisk/outgoing directory need to be owned by the asterisk user as well as writable. Writable because asterisk appends lines to indicate retry status. Owner so that it can set the utime. Covered below.

chown --recursive asterisk:asterisk /var/lib/asterisk
chown --recursive asterisk:asterisk /var/log/asterisk
chown --recursive asterisk:asterisk /var/run/asterisk
chown --recursive asterisk:asterisk /var/spool/asterisk
chown --recursive asterisk:asterisk /usr/lib/asterisk

chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk

Also, make note that if you're running udev on your system (linux-2.6), the /dev directory
is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap
will be lost on your next reboot, and you may get a nasty message such as "Asterisk ended with exit status 1"
when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on
how to change the user/group assigned to /dev/zap.
Asterisk needs read permission for these directories and their contents:
  • /etc/asterisk

chown --recursive root:asterisk /etc/asterisk
chmod --recursive u=rwX,g=rX,o= /etc/asterisk

You might also have to take a look at the permissions of the web voicemail cgi files/directory.


Other files and devices may also need to be tweaked depending on your exact setup.

e.g. If you use chan_oss:
chown asterisk /dev/dsp

If running chan_capi for ISDN devices:
chown asterisk /dev/capi20
Your distribution's version of capiutils should setup this properly , watch out for server card init/setup scripts that override the distribution defaults. See devcapi20 Eicon permissions for a proposed problem solution for Ubuntu/Debian systems.

If using the Sirrix cards :-
chown asterisk /dev/bchdev /dev/dchdev

If using chan_alsa:
chown --recursive asterisk /dev/snd


SUID root executables


If you're using musiconhold with mpg123, you'll probably need to set the suid bit on the executable like this:

chmod u+s /usr/local/bin/mpg123

this allows mpg123 to run as root even though Asterisk is running as a non-root user. This appears to be necessary for mpg123 to work properly under Asterisk.

However recall that mpg123 has some known security issues. Don't use it to play arbitrary data from the web.

Using mpg123 as SUID root makes it even more insecure. As of Asterisk 1.2 it is only really needed for remote streaming media.

Starting Asterisk

Starting asterisk is covered elsewhere. However once you've done the above changes, you can make sure asterisk runs as user asterisk and group asterisk by issuing this command in your startup scripts:

asterisk -U asterisk

Troubleshooting

Problems getting it to work?

As root run the command:
strace -eopen asterisk -U asterisk
And look for failures to open files. Modify the ownership and permissions of the culprits and try again.

If you use the option -p (real-time priority) to Asterisk, Asterisk must be executed as root. Even if it later drops the root privileges. (using -U). Thus you should not
use 'su asterisk' to run safe_asterisk. Anybody who actually uses safe_asterisk with -p, please fix this.

Also, take care not to run Asterisk without -U asterisk . You may be tempted to do so for debugging. The Debian package (in Xorcom Rapid and in current Etch ) has /etc/init.d/asterisk debug for that.

Asterisk ended with exit status 1

See Also



Asterisk | Asterisk Installation | Compiling Asterisk
By default Asterisk is configured to run as root, that is, the superuser. This page is about why it is not a good idea and how to set it up to run as a different user.

Summary

Can Asterisk run as non-root?

Yes, but it requires a little tweaking.

Why would this be useful?

So that if Asterisk has a remote security compromise, this cannot be used to take over the entire box. Ideally the compromise shouldn't even allow editing of the config files (possible if you don't edit them on-the-fly via the console).

Distro Packages

I installed Asterisk from a distro package. Any tweaks necessary?

Debian packages (as of Sarge) and Ubuntu packages (at least as of 5-10, not sure) will refuse to run as non-root and won't need any changes.
FreeBSD ports run as root. Not sure about SuSE packages, Fedora-Extra packages, Mandrake-contrib packages, DAG packages or anything else.
Fedora - ATrpms repo : Installs as user=asterisk, group=asterisk but will fail to start with the error, "unable to access /var/log/asterisk/messages"

SELinux causes problems. To disable selinux change in /etc/selinux/config SELINUX=enabled to disabled or permissive

Quick Start

No-frills Guide for Asterisk 1.4.* (RedHat flavour) as of 19 May 2008

/etc/init.d/asterisk stop
  1. > Shutting down asterisk: OK
  2. ----------------------------------------------------
  3. It is safer to define a user called asterisk in group asterisk
  4. unless you want to make more changes to 2 files i.e. zaptel.rules and /etc/init.d/asterisk
/usr/sbin/groupadd asterisk

[+]/usr/sbin/useradd -d /var/lib/asterisk -g asterisk asterisk
  1. > useradd: warning: the home directory already exists.
  2. > Not copying any file from skel directory into it.
  3. ----------------------------------------------------
chown --recursive asterisk:asterisk /var/lib/asterisk
chown --recursive asterisk:asterisk /var/log/asterisk
chown --recursive asterisk:asterisk /var/run/asterisk
chown --recursive asterisk:asterisk /var/spool/asterisk
chown --recursive asterisk:asterisk /usr/lib/asterisk
    1. If you are using Zaptel run the next line
chown --recursive asterisk:asterisk /dev/zap
    1. If you are running DAHDI run the next line
chown --recursive asterisk:asterisk /dev/dahdi

[+]chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk
    1. If you are using Zaptel run the next line
chmod --recursive u=rwX,g=rX,o= /dev/zap
    1. If you are using DAHDI run the next line
chmod --recursive u=rwX,g=rX,o= /dev/dahdi

[+]chown --recursive root:asterisk /etc/asterisk
chmod --recursive u=rwX,g=rX,o= /etc/asterisk

[+]cp /etc/asterisk/asterisk.conf /etc/asterisk/asterisk.conf.org
vi /etc/asterisk/asterisk.conf
  1. Change the following line from:
  2. astrundir => /var/run
  3. to
  4. astrundir => /var/run/asterisk
  5. ----------------------------------------------------
cp /etc/init.d/asterisk /etc/init.d/asterisk.org

[+]vi /etc/init.d/asterisk
  1. Change the following line from:
  2. #AST_USER="asterisk"
  3. #AST_GROUP="asterisk"
  4. to
  5. AST_USER="asterisk"
  6. AST_GROUP="asterisk"
  7. ----------------------------------------------------
  8. Asterisk needs to write to voicemail.conf for password change.
chmod g+w /etc/asterisk/voicemail.conf
chmod g+w,+t /etc/asterisk

[+]/etc/init.d/asterisk restart

[+]asterisk -U asterisk -G asterisk

[+]



User Account

Use your system's preferred method of adding a new user. Examples:
  • Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk
  • Debian: adduser --system --group --home /var/lib/asterisk --no-create-home --gecos "Asterisk PBX" asterisk
  • Debian: adduser asterisk dialout
  • Debian: adduser asterisk audio

Note that recent debian packages do this for you, including chown and chmod.
Just take care not to start asterisk as root accidentally without '-U' .

Run Directory

This directory is used for a number of small temporary files. Asterisk must be able to write those files. The default used to be /var/run , which should exist on systems, but is not writable by the Asterisk user. Later on (in Asterisk 1.6.1) the default was changed to /var/run/asterisk . A number of binary distributions have changed it earlier.

To check the current built-in default:

strings /usr/sbin/asterisk | grep /var/run

Also note that in Ubuntu (and maybe other distributions) /var/run is cleaned at startup and hence /var/run/asterisk needs to be created and chowned in the asterisk init script.

Asterisk >= 1.4

Edit your Asterisk config file (/etc/asterisk/asterisk.conf):
[directories](!) ; remove the (!) to enable this
to
[directories] ; remove the (!) to enable this — without the (!) just like the comment clearly states

and

astrundir => /var/run/asterisk

Asterisk <=1.2

Edit /usr/src/asterisk/Makefile and change the definition of ASTVARRUNDIR like this:

ASTVARRUNDIR=$(INSTALL_PREFIX)/var/run/asterisk

Recompile and reinstall Asterisk. See Compiling Asterisk for details of this process.


Permissions

Asterisk needs write permission for these directories and their contents:
  • /var/lib/asterisk
  • /var/log/asterisk
  • /var/run/asterisk
  • /var/spool/asterisk
  • /usr/lib/asterisk
  • /dev/zap/* (Though better done through udev rules for Zaptel. See the Zaptel README.)

The files in the /var/spool/asterisk/outgoing directory need to be owned by the asterisk user as well as writable. Writable because asterisk appends lines to indicate retry status. Owner so that it can set the utime. Covered below.

chown --recursive asterisk:asterisk /var/lib/asterisk
chown --recursive asterisk:asterisk /var/log/asterisk
chown --recursive asterisk:asterisk /var/run/asterisk
chown --recursive asterisk:asterisk /var/spool/asterisk
chown --recursive asterisk:asterisk /usr/lib/asterisk

chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk

Also, make note that if you're running udev on your system (linux-2.6), the /dev directory
is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap
will be lost on your next reboot, and you may get a nasty message such as "Asterisk ended with exit status 1"
when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on
how to change the user/group assigned to /dev/zap.
Asterisk needs read permission for these directories and their contents:
  • /etc/asterisk

chown --recursive root:asterisk /etc/asterisk
chmod --recursive u=rwX,g=rX,o= /etc/asterisk

You might also have to take a look at the permissions of the web voicemail cgi files/directory.


Other files and devices may also need to be tweaked depending on your exact setup.

e.g. If you use chan_oss:
chown asterisk /dev/dsp

If running chan_capi for ISDN devices:
chown asterisk /dev/capi20
Your distribution's version of capiutils should setup this properly , watch out for server card init/setup scripts that override the distribution defaults. See devcapi20 Eicon permissions for a proposed problem solution for Ubuntu/Debian systems.

If using the Sirrix cards :-
chown asterisk /dev/bchdev /dev/dchdev

If using chan_alsa:
chown --recursive asterisk /dev/snd


SUID root executables


If you're using musiconhold with mpg123, you'll probably need to set the suid bit on the executable like this:

chmod u+s /usr/local/bin/mpg123

this allows mpg123 to run as root even though Asterisk is running as a non-root user. This appears to be necessary for mpg123 to work properly under Asterisk.

However recall that mpg123 has some known security issues. Don't use it to play arbitrary data from the web.

Using mpg123 as SUID root makes it even more insecure. As of Asterisk 1.2 it is only really needed for remote streaming media.

Starting Asterisk

Starting asterisk is covered elsewhere. However once you've done the above changes, you can make sure asterisk runs as user asterisk and group asterisk by issuing this command in your startup scripts:

asterisk -U asterisk

Troubleshooting

Problems getting it to work?

As root run the command:
strace -eopen asterisk -U asterisk
And look for failures to open files. Modify the ownership and permissions of the culprits and try again.

If you use the option -p (real-time priority) to Asterisk, Asterisk must be executed as root. Even if it later drops the root privileges. (using -U). Thus you should not
use 'su asterisk' to run safe_asterisk. Anybody who actually uses safe_asterisk with -p, please fix this.

Also, take care not to run Asterisk without -U asterisk . You may be tempted to do so for debugging. The Debian package (in Xorcom Rapid and in current Etch ) has /etc/init.d/asterisk debug for that.

Asterisk ended with exit status 1

See Also



Asterisk | Asterisk Installation | Compiling Asterisk
Created by: JustRumours, Last modification: Mon 28 of Dec, 2009 (06:41 UTC) by uzzi
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+