asterisk users - Nov 2007 - asterisk as non-root/best practices

Hi,

I have set up asterisk to run as non root, and allow admin users to log
in to the server as asterisk, which gives them privileges to edit
configs in the asterisk home directory.

As for connecting to the console with 'asterisk -r' - this by default
does not work as asterisk is owned stored in /usr/sbin/asterisk

I am reading that the best way to solve this is to use 'visudo' - I
added this:-

asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL
asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL

Keep getting 'command not found' when logging in as 'asterisk'
and
trying to connect to the console

when I do a 'sudo -l' as user asterisk - I get this

    user asterisk may run the following commands on this host:
        (ALL) NOPASSWD: ALL

but still get command not found when trying to connect to the console -
even after using 'sudo asterisk -r'

If I use 'whereis asterisk' as user asterisk, I get:

asterisk: /usr/sbin/asterisk /usr/sbin/asterisk.orig /usr/lib/asterisk
/usr/include/asterisk /usr/include/asterisk.h /usr/share/man/man8/asterisk.8

Suggesting that it can see it

Does anyone have any advice on what the best practice on this would be?
and allowing the user asterisk to connect to the console?

Thanks

Robert McNaught


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20071119/9884fe98/attachment.htm

On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught
wrote:
> Hi,
> 
> I have set up asterisk to run as non root, and allow admin users to log
> in to the server as asterisk, which gives them privileges to edit
> configs in the asterisk home directory.
The daemon runs as the user asterisk. There is no reason why the admin
should run as the user asterisk.
> 
> As for connecting to the console with 'asterisk -r' - this by
default
> does not work as asterisk is owned stored in /usr/sbin/asterisk
> 
> I am reading that the best way to solve this is to use 'visudo' - I
> added this:-
> 
> asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL

This is totally unrequired. You just need to set proper permissions for
the socket /var/run/asterisk/asterisk.ctl . This is done in
asterisk.conf - 

[files]
;astctlpermissions = 0660
;astctlowner = root
astctlgroup = asterisk
;astctl = asterisk.ctl

http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL
Why would Asterisk need to run safe_asterisk?

With an arbitrary parameter?

You may want to permit some administrator to do that, but not the
asterisk daemon. This probably opens the door to priviliges escalations.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

Robert McNaught wrote:
> Hi,
> 
> I have set up asterisk to run as non root, and allow admin users to log 
> in to the server as asterisk, which gives them privileges to edit 
> configs in the asterisk home directory.
> 
> As for connecting to the console with 'asterisk -r' - this by
default
> does not work as asterisk is owned stored in /usr/sbin/asterisk
> 
> I am reading that the best way to solve this is to use 'visudo' - I
> added this:-
> 
> asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL
> asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL
> 
> Keep getting 'command not found' when logging in as
'asterisk' and
> trying to connect to the console
> 
> when I do a 'sudo -l' as user asterisk - I get this
> 
>     user asterisk may run the following commands on this host:
>         (ALL) NOPASSWD: ALL
> 
> but still get command not found when trying to connect to the console - 
> even after using 'sudo asterisk -r'
> 
> If I use 'whereis asterisk' as user asterisk, I get:
> 
> asterisk: /usr/sbin/asterisk /usr/sbin/asterisk.orig /usr/lib/asterisk 
> /usr/include/asterisk /usr/include/asterisk.h
/usr/share/man/man8/asterisk.8
> 
> Suggesting that it can see it
> 
> Does anyone have any advice on what the best practice on this would be? 
> and allowing the user asterisk to connect to the console?
> 
> Thanks
> 
> Robert McNaught
> 
Hi Robert,

I have just done this myself. Here's how I described it on my blog 
http://www.theopensourcerer.com/2007/10/30/untangle-asterisk-pbx-and-file-server-all-in-one-part-7/.
The host server is Linux From Scratch so you might need to change it a 
but but the process seems sound to me.

Cheers

Alan


-- 
The way out is open!
http://www.theopensourcerer.com

Thanks Tzafrir, I took the stuff out of visudo - it turns out the only
way I could get this working was to create a symbolic link -
/usr/bin/asterisk to point to /home/asterisk .....asterisk  - using
the link created in /usr/sbin/ would not work for 'asterisk -r'

It seems that all commands in /usr/sbin/. were unexecutable by user
'asterisk' or 'admin' - I think that this is to do with the fact
that
the sbin directory is only designed for root executable files.

What is your recommendation on having an admin user be able to edit
configs without using the same username as the asterisk daemon - would
you create a group 'asterisk' and have users 'admin' and
'asterisk' as
part of that group - If the system was compiled to run as asterisk,
then the owner for the config files are all stored in the
/home/asterisk/ subdirectory and are owned by 'asterisk'.

Can you offer any thoughts on that?

Cheers :-)

Robert
> > Hi,
> >
> > I have set up asterisk to run as non root, and allow admin users to
log
> > in to the server as asterisk, which gives them privileges to edit
> > configs in the asterisk home directory.
>
> The daemon runs as the user asterisk. There is no reason why the admin
> should run as the user asterisk.
>
> >
> > As for connecting to the console with 'asterisk -r' - this by
default
> > does not work as asterisk is owned stored in /usr/sbin/asterisk
> >
> > I am reading that the best way to solve this is to use
'visudo' - I
> > added this:-
> >
> > asterisk ALL=/usr/sbin/asterisk -r NOPASSWD: ALL
>
>
> This is totally unrequired. You just need to set proper permissions for
> the socket /var/run/asterisk/asterisk.ctl . This is done in
> asterisk.conf -
>
> [files]
> ;astctlpermissions = 0660
> ;astctlowner = root
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
>
> http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
>
> > asterisk ALL=/usr/sbin/safe_asterisk NOPASSWD: ALL
>
> Why would Asterisk need to run safe_asterisk?
>
> With an arbitrary parameter?
>
> You may want to permit some administrator to do that, but not the
> asterisk daemon. This probably opens the door to priviliges escalations.
>
> --
>  Tzafrir Cohen

thanks for the reply Tzafrir,

I tried the below, but I think maybe I misexplained what I am trying to
do.  I have asterisk running as user asterisk - I followed the
instructions in the Asterisk book and have everything stored
in /home/asterisk/asterisk-bin - this includes logs, pid files, configs
etc etc

my asterisk.conf is 

[directories]
astetcdir => /home/asterisk/asterisk-bin/asterisk
astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules
astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk
astdatadir => /home/asterisk/asterisk-bin/lib/asterisk
astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin
astspooldir => /home/asterisk/asterisk-bin/spool/asterisk
astrundir => /home/asterisk/asterisk-bin/run
astlogdir => /home/asterisk/asterisk-bin/log/asterisk

[options]
;internal_timing = yes
systemname = XXXXX ; prefix uniqueid with a system name for global
uniqueness issues
; Changing the following lines may compromise your security.
;[files]
;astctlpermissions = 0770
astctlowner = asterisk
astctlgroup = asterisk
;astctl = asterisk.ctl

my problem is that a non-privileged user, eg admin, cannot log in and
connect to the console by issuing the following

[admin at XXXX]$ asterisk -r
bash: asterisk: command not found

[admin at XXXXX]$ whereis asterisk
asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk
/usr/include/asterisk.h /usr/share/man/man8/asterisk.8

what is the best way to solve this problem?

i have tried adding

admin   ALL=(ALL)       ALL    - I will prune back once I verify I can
get this working

into visudo, but even that returns asterisk:command not found

Does anyone out there know the best way around this - I tried adding in
a symbolic link in /usr/bin/asterisk to point to
the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but is
a hack around the problem and don't believe this is the way

It seems that non-privileged users cannot run commands in sbin, but can
in bin directories

Robert

> 
> On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:
> > Hi,
> > 
> > I have set up asterisk to run as non root, and allow admin users to
log
> > in to the server as asterisk, which gives them privileges to edit
> > configs in the asterisk home directory.
> 
> The daemon runs as the user asterisk. There is no reason why the admin
> should run as the user asterisk.
> 
> > 
> > As for connecting to the console with 'asterisk -r' - this by
default
> > does not work as asterisk is owned stored in /usr/sbin/asterisk
> > 
> > I am reading that the best way to solve this is to use
'visudo' - I
> > added this:-
> > 
> > asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL
> 
> 
> This is totally unrequired. You just need to set proper permissions for
> the socket /var/run/asterisk/asterisk.ctl . This is done in
> asterisk.conf - 
> 
> [files]
> ;astctlpermissions = 0660
> ;astctlowner = root
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
> 
> http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> 
> > asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL
> 
> Why would Asterisk need to run safe_asterisk?
> 
> With an arbitrary parameter?
> 
> You may want to permit some administrator to do that, but not the
> asterisk daemon. This probably opens the door to priviliges escalations.
> 
> -- 
>                Tzafrir Cohen
> icq#16849755              jabber:tzafrir.cohen at xorcom.com
> +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20071130/a25bbb92/attachment.htm

> thanks for the reply Tzafrir,
> 
> I tried the below, but I think maybe I misexplained what I am trying
> to do.  I have asterisk running as user asterisk - I followed the
> instructions in the Asterisk book and have everything stored
> in /home/asterisk/asterisk-bin - this includes logs, pid files,
> configs etc etc
> 
> my asterisk.conf is 
> 
> [directories]
> astetcdir => /home/asterisk/asterisk-bin/asterisk
> astmoddir => /home/asterisk/asterisk-bin/lib/asterisk/modules
> astvarlibdir => /home/asterisk/asterisk-bin/lib/asterisk
> astdatadir => /home/asterisk/asterisk-bin/lib/asterisk
> astagidir => /home/asterisk/asterisk-bin/lib/asterisk/agi-bin
> astspooldir => /home/asterisk/asterisk-bin/spool/asterisk
> astrundir => /home/asterisk/asterisk-bin/run
> astlogdir => /home/asterisk/asterisk-bin/log/asterisk
> 
> [options]
> ;internal_timing = yes
> systemname = XXXXX ; prefix uniqueid with a system name for global
> uniqueness issues
> ; Changing the following lines may compromise your security.
> ;[files]
> ;astctlpermissions = 0770
> astctlowner = asterisk
> astctlgroup = asterisk
> ;astctl = asterisk.ctl
> 
> my problem is that a non-privileged user, eg admin, cannot log in and
> connect to the console by issuing the following
> 
> [admin at XXXX]$ asterisk -r
> bash: asterisk: command not found
> 
> [admin at XXXXX]$ whereis asterisk
> asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk
/usr/include/asterisk.h /usr/share/man/man8/asterisk.8
> 
> what is the best way to solve this problem?
> 
> i have tried adding
> 
> admin   ALL=(ALL)       ALL    - I will prune back once I verify I can
> get this working
> 
> into visudo, but even that returns asterisk:command not found
> 
> Does anyone out there know the best way around this - I tried adding
> in a symbolic link in /usr/bin/asterisk to point to
> the /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but
> is a hack around the problem and don't believe this is the way
> 
> It seems that non-privileged users cannot run commands in sbin, but
> can in bin directories
> 
> Robert
> 
> 
> > 
> > On Mon, Nov 19, 2007 at 08:51:21AM -0800, Robert McNaught wrote:
> > > Hi,
> > > 
> > > I have set up asterisk to run as non root, and allow admin users
to log
> > > in to the server as asterisk, which gives them privileges to edit
> > > configs in the asterisk home directory.
> > 
> > The daemon runs as the user asterisk. There is no reason why the admin
> > should run as the user asterisk.
> > 
> > > 
> > > As for connecting to the console with 'asterisk -r' -
this by default
> > > does not work as asterisk is owned stored in /usr/sbin/asterisk
> > > 
> > > I am reading that the best way to solve this is to use
'visudo' - I
> > > added this:-
> > > 
> > > asterisk        ALL=/usr/sbin/asterisk -r           NOPASSWD: ALL
> > 
> > 
> > This is totally unrequired. You just need to set proper permissions
for
> > the socket /var/run/asterisk/asterisk.ctl . This is done in
> > asterisk.conf - 
> > 
> > [files]
> > ;astctlpermissions = 0660
> > ;astctlowner = root
> > astctlgroup = asterisk
> > ;astctl = asterisk.ctl
> > 
> > http://svn.digium.com/svn/asterisk/branches/1.4/doc/asterisk-conf.txt
> > 
> > > asterisk        ALL=/usr/sbin/safe_asterisk     NOPASSWD: ALL
> > 
> > Why would Asterisk need to run safe_asterisk?
> > 
> > With an arbitrary parameter?
> > 
> > You may want to permit some administrator to do that, but not the
> > asterisk daemon. This probably opens the door to priviliges
escalations.
> > 
> > -- 
> >                Tzafrir Cohen
> > icq#16849755              jabber:tzafrir.cohen at xorcom.com
> > +972-50-7952406           mailto:tzafrir.cohen at xorcom.com
> > http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir
> > 
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20071130/ce839eca/attachment.htm

not in path

[admin at XXXXXX]$ echo $PATH
/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/admin/bin

> 
> Is /sbin in your path?
> 
> CP
> 
> Robert McNaught wrote:
> > 
> > my problem is that a non-privileged user, eg admin, cannot log in and
> > connect to the console by issuing the following
> > 
> > [admin at XXXX]$ asterisk -r
> > bash: asterisk: command not found
> > 
> > [admin at XXXXX]$ whereis asterisk
> > asterisk: /usr/sbin/asterisk /usr/lib/asterisk /usr/include/asterisk
> > /usr/include/asterisk.h /usr/share/man/man8/asterisk.8
> > 
> > what is the best way to solve this problem?
> > 
> > i have tried adding
> > 
> > admin   ALL=(ALL)       ALL    - I will prune back once I verify I can
> > get this working
> > 
> > into visudo, but even that returns asterisk:command not found
> > 
> > Does anyone out there know the best way around this - I tried adding
in
> > a symbolic link in /usr/bin/asterisk to point to the
> > /home/asterisk/asterisk-bin/sbin/asterisk file, which worked, but is a
> > hack around the problem and don't believe this is the way
> > 
> > It seems that non-privileged users cannot run commands in sbin, but
can
> > in bin directories
> > 
> > Robert
> > 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20071130/51979868/attachment.htm

On Fri, 30 Nov 2007, Robert McNaught wrote:
>> It seems that non-privileged users cannot run commands in sbin, but
>> can in bin directories
Unless something in your host is major league hosed, this is not true.

Try:

 	/sbin/runlevel
 	/usr/sbin/ntpdate -q 0.us.pool.ntp.org

Depending on who you ask, the "s" in sbin means "static" or
"system." On
Linux, it appears to mean "system" since both of these are dynamically
linked.

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                             Fax: +1-760-731-3000