By default Asterisk is configured to run as root, that is, the superuser. This page is about why it is not a good idea and how to set it up to run as a different user.

Summary

Can Asterisk run as non-root?

Yes, but it requires a little tweaking.

Why would this be useful?

So that if Asterisk has a remote security compromise, this cannot be used to take over the entire box. Ideally the compromise shouldn't even allow editing of the config files (possible if you don't edit them on-the-fly via the console).

Distro Packages

I installed Asterisk from a distro package. Any tweaks necessary?

Debian packages (as of Sarge) and Ubuntu packages (at least as of 5-10, not sure) will refuse to run as non-root and won't need any changes.
FreeBSD ports run as root. Not sure about SuSE packages, Fedora-Extra packages, Mandrake-contrib packages, DAG packages or anything else.
Fedora - ATrpms repo : Installs as user=asterisk, group=asterisk but will fail to start with the error, "unable to access /var/log/asterisk/messages"

SELinux causes problems. To disable selinux change in /etc/selinux/config SELINUX=enabled to disabled or permissive

Quick Start

No-frills Guide for Asterisk 1.4.* (RedHat flavour) as of 19 May 2008

User Account

Use your system's preferred method of adding a new user. Examples:

• Red Hat: adduser -c "Asterisk PBX" -d /var/lib/asterisk
• Debian: adduser --system --group --home /var/lib/asterisk --no-create-home --gecos "Asterisk PBX" asterisk
• Debian: adduser asterisk dialout
• Debian: adduser asterisk audio

Note that recent debian packages do this for you, including chown and chmod.
Just take care not to start asterisk as root accidentally without '-U' .

Run Directory

Asterisk >= 1.4

Edit your Asterisk config file (/etc/asterisk/asterisk.conf):

   astrundir => /var/run/asterisk

Asterisk <=1.2

Edit /usr/src/asterisk/Makefile and change the definition of ASTVARRUNDIR like this:

   ASTVARRUNDIR=$(INSTALL_PREFIX)/var/run/asterisk

Recompile and reinstall Asterisk. See Compiling Asterisk for details of this process.

Permissions

Asterisk needs write permission for these directories and their contents:

• /var/lib/asterisk
• /var/log/asterisk
• /var/run/asterisk
• /var/spool/asterisk
• /usr/lib/asterisk
• /dev/zap/* (Though better done through udev rules for Zaptel. See the [http://zaptel.tzafrir.org.ilZaptel README.)

The files in the /var/spool/asterisk/outgoing directory need to be owned by the asterisk user as well as writable. Writable because asterisk appends lines to indicate retry status. Owner so that it can set the utime. Covered below.

   chown --recursive asterisk:asterisk /var/lib/asterisk
   chown --recursive asterisk:asterisk /var/log/asterisk
   chown --recursive asterisk:asterisk /var/run/asterisk
   chown --recursive asterisk:asterisk /var/spool/asterisk
   chown --recursive asterisk:asterisk /usr/lib/asterisk

   chmod --recursive u=rwX,g=rX,o= /var/lib/asterisk
   chmod --recursive u=rwX,g=rX,o= /var/log/asterisk
   chmod --recursive u=rwX,g=rX,o= /var/run/asterisk
   chmod --recursive u=rwX,g=rX,o= /var/spool/asterisk
   chmod --recursive u=rwX,g=rX,o= /usr/lib/asterisk

Also, make note that if you're running udev on your system (linux-2.6), the /dev directory
is dynamically populated with device nodes, meaning that any permissions you set on /dev/zap
will be lost on your next reboot, and you may get a nasty message such as "Asterisk ended with exit status 1"
when trying to start asterisk. Read the file /path/to/zaptel-src-1.2.x/README.udev for instructions on
how to change the user/group assigned to /dev/zap.
Asterisk needs read permission for these directories and their contents:

• /etc/asterisk

   chown --recursive root:asterisk /etc/asterisk
   chmod --recursive u=rwX,g=rX,o= /etc/asterisk

You might also have to take a look at the permissions of the web voicemail cgi files/directory.


Other files and devices may also need to be tweaked depending on your exact setup.

e.g. If you use chan_oss:
   chown asterisk /dev/dsp

If running chan_capi for ISDN devices:
   chown asterisk /dev/capi20

If using the Sirrix cards :-
   chown asterisk /dev/bchdev /dev/dchdev

If using chan_alsa:
   chown --recursive asterisk /dev/snd

SUID root executables

If you're using musiconhold with mpg123, you'll probably need to set the suid bit on the executable like this:

   chmod u+s /usr/local/bin/mpg123

this allows mpg123 to run as root even though Asterisk is running as a non-root user. This appears to be necessary for mpg123 to work properly under Asterisk.

However recall that mpg123 has some known security issues. Don't use it to play arbitrary data from the web.

Using mpg123 as SUID root makes it even more insecure. As of Asterisk 1.2 it is only really needed for remote streaming media.

Starting Asterisk

Starting asterisk is covered elsewhere. However once you've done the above changes, you can make sure asterisk runs as user asterisk and group asterisk by issuing this command in your startup scripts:

   asterisk -U asterisk

Troubleshooting

Problems getting it to work?

As root run the command:
 strace -eopen asterisk -U asterisk
And look for failures to open files. Modify the ownership and permissions of the culprits and try again.

If you use the option -p (real-time priority) to Asterisk, Asterisk must be executed as root. Even if it later drops the root privileges. (using -U). Thus you should not
use 'su asterisk' to run safe_asterisk. Anybody who actually uses safe_asterisk with -p, please fix this.

Also, take care not to run Asterisk without -U asterisk . You may be tempted to do so for debugging. The Debian package (in Xorcom Rapid and in current Etch ) has /etc/init.d/asterisk debug for that.

Asterisk ended with exit status 1

See Also

• Compiling Asterisk

---

Asterisk | Asterisk Installation | Compiling Asterisk