Hi, In the 2nd edition of the Asterisk book, there is a section recommending running asterisk as non-root - tried this and it works. However, asterisk does not have permissions to view certain files relating to zaptel as in the following 'zap show status' command in the * CLI What would be the best way to get round this, in terms of reliability and security? Is there a way to allow the user 'asterisk' access to the necessary files? Or would it be better to run the zaptel service as the same user as 'asterisk' is running as? Does anyone have any thoughts on this BTW, the /dev/zap/ctl file exists and zap is starting with errors or alarms. No Zaptel interface found. [Oct 15 10:31:21] WARNING[7036]: chan_zap.c:10026 zap_show_status: Unable to open /dev/zap/ctl: No such file or directory localhost*CLI> Cheers Robert McNaught -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071015/a416d530/attachment.htm
On Mon, Oct 15, 2007 at 10:38:09AM -0700, Robert McNaught wrote:> Hi, > > In the 2nd edition of the Asterisk book, there is a section recommending > running asterisk as non-root - tried this and it works. However, > asterisk does not have permissions to view certain files relating to > zaptel as in the following 'zap show status' command in the * CLI > > What would be the best way to get round this, in terms of reliability > and security? Is there a way to allow the user 'asterisk' access to the > necessary files? Or would it be better to run the zaptel service as the > same user as 'asterisk' is running as? Does anyone have any thoughts on > thisAsterisk needs to be able to read/write to the files under /dev/zap . Thus either make them owned by Asterisk or put them in a group in which Asterisk is a member. For example in Debian's default udev rules, Zaptel devices are owned by root:dialout with the default 660 permissions. Hence you just need to add Asterisk to the group dialout.> > BTW, the /dev/zap/ctl file exists and zap is starting with errors or > alarms. > > No Zaptel interface found. > [Oct 15 10:31:21] WARNING[7036]: chan_zap.c:10026 zap_show_status: > Unable to open /dev/zap/ctl: No such file or directory > localhost*CLI>ls -ld /dev/zap /dev/zap/ctl -- Tzafrir Cohen icq#16849755 jabber:tzafrir.cohen at xorcom.com +972-50-7952406 mailto:tzafrir.cohen at xorcom.com http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
Robert McNaught wrote:> Hi, > > In the 2nd edition of the Asterisk book, there is a section recommending > running asterisk as non-root - tried this and it works. However, > asterisk does not have permissions to view certain files relating to > zaptel as in the following 'zap show status' command in the * CLI > > What would be the best way to get round this, in terms of reliability > and security? Is there a way to allow the user 'asterisk' access to the > necessary files? Or would it be better to run the zaptel service as the > same user as 'asterisk' is running as? Does anyone have any thoughts on > this > > BTW, the /dev/zap/ctl file exists and zap is starting with errors or alarms. > > No Zaptel interface found. > [Oct 15 10:31:21] WARNING[7036]: chan_zap.c:10026 zap_show_status: > Unable to open /dev/zap/ctl: No such file or directory > localhost*CLI>Mine works. I installed asterisk from source and it is running as user "asterisk" group "asterisk". In fact the zaptel udev rules should sort this out automatically. Did you install the udev rules? vimes*CLI> zap show status Description Alarms IRQ bpviol CRC4 Wildcard X100P Board 1 OK 0 0 0 ZTDUMMY/1 1 UNCONFIGUR 0 0 0 vimes*CLI> Alan -- The way out is open! http://www.theopensourcerer.com
Alan, What do you mean by the udev rules? I previously had asterisk compiled and running as user and group 'asterisk' zaptel and libpri were compiled and installed using user 'root' so the zaptel service was root. I had a dependency issue with asterisk trying to access a file owned by root for zaptel to work. How is yours configured? Should I be trying to compile and install libpri and zaptel as user 'asterisk' - I tried this but would not compile as dependency problems with files being owned as root. Do you know if there is options in the make command to put when you compile libpri and zaptel as user 'asterisk' - maybe that would get round it? Cheers Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20071016/33b5f679/attachment.htm